Deploying a Liberty-based System

To build a successful Liberty-based implementation, consider the issues described in this section. At the minimum, a Liberty-compliant identity server is needed to process Liberty-based requests and responses.

Assess the Qualifications of Your IT Staff

Although the specifications are aimed at large organizations, small and medium-sized companies with an experienced IT staff can also roll out a federated identity system. The specifications are complex and require several areas of expertise, including web services development, XML, networking, and security.

Clean Up Directory Data

The specifications do not specify where to store identity data. Purge your data store of old identity profiles, consolidate multiple (or delete duplicated) identity profiles, and ensure that privileges are assigned correctly.

Identity providers must enforce strict regulations regarding passwords. A stolen identity can be abused across multiple sites in a federated system.

Draft Business Agreements

The specifications assume existing trust relationships between members in a circle of trust. This trust is defined through business arrangements or contracts that describe the technical, operational, and legal responsibilities of each party and the consequences for not completing them. When defined, a Liberty trust relationship means that one organization trusts another’s user authentication decisions. That trust among members enables a user to log in at one site and access another site as well. Ensure that these agreements are in force before going live with a Liberty-compliant system including configured authentication domains.