Web services provide the architecture for allowing different systems to interoperate. By removing many of the challenges associated with systems integration, Web services allow organizations to achieve significant business results with current systems.

To achieve these results, Web services applications must be able to communicate with each other. However, to be a viable option for widespread use in mission-critical business solutions, communication between Web services must be secure to protect the underlying business systems.

As interactions between Web service requestors and providers increase, the need for trusted relationships also increases. Consider how traditional business transactions are conducted. Two parties meet, propose a transaction, and negotiate a relationship of trust. They often develop this relationship by demonstrating the value they bring to the transaction and validating their ability to complete the transaction.

This same process applies to service requestors and providers. The requestor and provider must establish a relationship of trust, which can be done by creating an identity for users and services. After each party confirms the other's identity, they can conduct their transactions with confidence.

Using identity information to confirm the validity of a user or service is known as role-based authentication. Role-based authentication relies on the fact that a "user" has a known, defined identity in a system. The user's access to systems, resources, and information is defined by their identity. For example, a manager would have access to a different set of information and systems than an individual contributor because their roles differ. Identity management and role-based authentication are important concepts for providing the authentication, authorization and single sign-on pieces of the secure Web services puzzle.

Current implementations of this concept build mechanisms for storing identity and role information in individual Web services. This approach works relatively well for single Web services or proprietary, internal implementations. However, it does not translate to solutions where multiple Web services in internal and public systems must work in harmony to accomplish complex business processes. There is no guarantee that these discrete identity management implementations will work with each other if the Web services must interact.

The Liberty Alliance Project was started to avoid this problem. One of the most striking propositions from the Liberty Alliance is the notion of delegating authentication, access control, and identity management to specialized identity provider services. By offloading identity management tasks to a separate provider, you create a framework that simplifies developing secure Web services solutions.

In the Liberty Alliance's view of Web services architectures, identity providers offer three important, identity-based security services: authentication, authorization, and single sign-on. Identity providers handle these security services by using directories as a central repository of identity information that is used to authenticate users or services and authorize their access to services, resources, or information based on roles and privileges stored in their identity profile.

To extend this to Web services each Web service is given an identity within the directory. For complex business processes, the identity of all actors in the process must be verified - including the Web services. Because directory services can manage information about any kind of object, human or otherwise, you can maintain identity information about a Web service in a directory.

By giving a Web service an identity in a directory you can validate a Web service's identity in the same way that you would a human user's, apply the directory's built-in access controls to the Web service, and federate the Web service among many service providers for single sign-on capabilities. You also create an architecture that allows multiple Web services to interact and support complex business processes.

Directories are excellent for providing identity services as they are designed to manage internal and Web-based relationships between user identities, resources, and security policies. Perhaps most important, directory technology is here now and it's reliable. You don't have to implement new and unproven identity management technology within each Web service. Instead, you can use proven technology to provide authentication, authorization and single sign-on capabilities for your secure Web services solutions.