‘Federated’ Web Services Next Battle for MS, Sun

No Web service is an island. But at least until recently, Web-services vendors have said little to customers about how they plan to build secure bridges across them.

Sources said Microsoft later this month is expected to detail its plans for “federating” its Web services by integrating them across multiple “trust boundaries” encompassing partners who abide by the same security rules. Microsoft’s federated services model is the centerpiece of its “Web Services 2” plan to take its .NET Web services platform and strategy to the next level.

Microsoft isn’t alone in building out its federated-services model. Sun Microsystems and its Liberty Alliance partners are working feverishly to flesh out its own federated-services specification. The Liberty Alliance is the Sun-backed group of 50 companies working on a single-sign-on, Web-services alternative to Microsoft’s Passport.

For current Web services pioneers such as Continental Airlines, a secure federated model is key to evolving their own Web-services strategies. “Web sites can become a federation of Web services,” says Ferdy Khater, director of technology with Continental. “A Web site basically becomes a service, where people can subscribe.”

Microsoft and Sun are talking a similar game when it comes to federation models.

Microsoft is expected to use its Tech Ed developers conference in New Orleans next week to begin laying the groundwork for how it plans to evolve its .NET platform. A few weeks later, the Redmond, Wash., software giant will talk publicly for the first time about its federated-services plans, sources say.

According to an internal Microsoft presentation viewed by Baseline magazine about the company’s Web Services 2 platform (a k a Indigo), Microsoft is devising a universal way to name, address and communicate with applications, and delegate that specification across trust domains.

To accomplish that task, the company is adding “Indigo extensions” to current .NET services. These Indigo-extended Web services will be incorporated into the next versions of Windows and other Microsoft products as they are developed and released, according to Microsoft’s plans.

Sun used similar federated lingo last week at its JavaOne developers show in San Francisco to describe how its own federated services model is evolving for its Sun ONE Web services platform.

At a session on the Liberty Alliance, Peter Yared, chief technologist for network identity at Sun, talked about the evolution of the “open, federated model” that Sun and its partners are building. Like Microsoft, Sun is building on top of emerging Web services standards, such as XML and the Simple Object Access Protocol (SOAP). And like Microsoft, Sun is planning to integrate federated-interaction capabilities into a variety of Web services, such as address books, wallets, calendars, instant messaging and the like.

“There are likely to be circles of trust,” Yared told panel participants. Users will likely have one work profile and one home profile, and vendors will set up “circles” of trusted partners and affiliates who will be able to process “extended identities,” Yared said.

The scheme will also pose challenges, Yared acknowledged. When establishing a single sign-on across different domains, vendors will need to make sure users can be recognized in a way that safeguards their privacy. Global IDs are not the best solution because of security and privacy concerns.

Instead, Sun and its Liberty partners are backing a scheme where arbitrary streams of bits—called “opaque handles”—would act as authenticated log-ins for users across domains. Users would have the option of creating a one-time-only link across domains or links that would expire after a set period of time.