The single sign-on specs signed by Microsoft and Sun last week are a step in the right direction but not the solution, analysts and end-users have complained.

Microsoft and Sun released draft specifications for single sign-on for Solaris and Windows which they say will be submitted to an as-yet-unnamed standards body. But end-users won't see products with capabilities built around the specs until next year.

The access-control and single sign-on products now on the market have largely been developed to work in single operating environments, said Lynn Goodendorf, VPof information privacy protection at InterContinental Hotels Group.

"The goal of most users is we want to have one solution that would work in all our different environments and operating systems, and not have multiple tools to do that," Goodendorf said. She noted that InterContinental has a single sign-on system for its Web-based applications but not for its mainframes.

The specs won't help John Wade, CIO at Saint Luke's Health System. Most of the systems at Saint Luke's are from HP, and Wade said he just can't wait for IT vendors to solve the single sign-on problem. The lack of that capability is their major systems headache, he said.

As a result, Wade expects to spend $100,000 to $500,000 of his $23 million IT budget to add single sign-on functionality by early next year. The effort could involve the creation of custom interfaces. "I don't think any of the vendors have a real simplified directory management process," he said. "It's an industrywide problem."

Goodendorf said the Sun-Microsoft agreement was "a positive development for privacy" because single sign-on is closely coupled with improved data access controls.

But it's unclear whether the specifications will be supported as standards by other vendors. For example, the Liberty Alliance, which includes Sun and is one of the major vendor groups working on identity management issues, characterised the Microsoft-Sun specifications as a step, not a solution.

Sai Allavarpu, director of product management and marketing at HP, said Sun and Microsoft have no plan for involving users or other vendors in finalising the specifications. "So it doesn't appear to be a truly interoperable solution," he said. "It just appears to be interoperability between two implementations."

But Sun and Microsoft said that the standards-approval process will involve other vendors. And they argued that the specifications are applicable for any system that uses either the Liberty Alliance's protocols or the Web Services Federation specification, which was developed by Microsoft and vendors such as IBM and BEA.

IT managers have said that they welcome the prospect of single sign-on and that it could help reduce costs, but that there are risks as well.

"As nice as it is to think that one username and password will gain you access to all of your systems, it also means that the employees need to be overly protective of their log-in codes," said Brian Young, vice president of IT at Creighton University. "Single sign-on gives everyone a master key to their house."