Three potential scenarios for the future of identity federation

* Identity gurus meet to thrash out the future of identity federation

I spent a day last week with SURFnet. And, no, SURFnet has nothing to do with Moondoggie, Gidget, or the Beach Boys and it wasn't in Huntington Beach. It's actually all about eductation, and this day was about identity. SURFnet is the organization that operates the Dutch National Research and Education Network. It connects universities, hospitals, research institutions and other non-commercial organizations and, in turn, connects to other European and world-wide NRENs. One area that SURFnet has pioneered is in federated identity services. But the organization thought that it was time to plan for the future, and that's what last week's meeting was about.

I spent a day last week with SURFnet. And, no, SURFnet has nothing to do with Moondoggie, Gidget, or the Beach Boys and it wasn't in Huntington Beach. It's actually all about education, and this day was about identity. SURFnet is the organization that operates the Dutch National Research and Education Network. It connects universities, hospitals, research institutions and other non-commercial organizations and, in turn, connects to other European and world-wide NRENs. One area that SURFnet has pioneered is in federated identity services. But the organization thought that it was time to plan for the future, and that's what last week's meeting was about.

The group invited a couple of dozen folks to a day long workshop on federation. I was there as was the Burton Group’s Gerry Gebel, Ping Identity’s Andre Durand, the Liberty Alliance’s Eve Maler, representatives from some of the constituent organizations within SURFnet, and identity experts from all over Europe. We listened as Maarten Wegdam of the Telematica Instituut (site is in Dutch) outlined three potential scenarios for identity federation going forward. Telematica organized this session and were contracted by SURFnet to advise SURFnet on its plans.

The three scenarios were described as: – Towards a service-oriented identity federation architecture. – A loosely-coupled user-centric identity federation. – A tightly-coupled IDP-centric identity federation.

1) Identity as a service

2) The user in control

3) The IDP (Identity Provider)

After the scenarios were outlined, we broke into three groups and each group developed one of the scenarios (I happened to draw the “user-centric” model). We then reconvened, discussed each group's findings and made recommendations to SURFnet as to the next steps they should take. I’m not going to go into the details of each scenario – or the recommendations – but one fascinating thing did occur. At a particularly abstract level, all three scenario recommendations looked very, very similar. The IDP-centric group, for example, recommended that there be at least some measure of user control over the release of data. And the user-centric group foresaw the need for cloud-based identity services (i.e., identity-as-a-service).

There were clear-cut distinctions, of course, but it’s heartening, really, that the three scenarios can share so many different features.

Your organization might not have the budget to pursue an effort like this, but given the excellent track record SURFnet has on networking and on identity issues it must be doing something right.

Insider Shootout: Best security tools for small business
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies