Federated ID gains momentum

Gone are the days when Midwestern manufacturing companies had to roll their own XML security to achieve single sign-on across Webbed supply chains. A spate of product announcements from vendors such as IBM, Oblix and RSA Security are bringing increased levels of turnkey Security Assertion Markup Language support.

Federation – the practice of authentication and identity information exchange across different security or technology domains – is spreading through different vertical industries. Like identity management overall, the drivers behind federation are a need for reduced sign-on, application integration and regulatory compliance. Early adopters report that even though you have to pay to play during the early stages of federated identity deployment, ROI is there for the taking. A Shibboleth project leader at The Pennsylvania State University who implemented SAML in 2002 reports an 85% drop in help desk calls.

Financial services companies have been using identity networks such as SecuritiesHub for years. There’s also been significant activity in industries such as mobile telecommunications, insurance, automotive, aerospace, manufacturing, government, travel and higher education.

Organizations are adopting federated identity for many use cases. Some require basic SAML authentication assertions for SSO in business-to-business scenarios. Others are looking at Liberty-Alliance-enabled products for consumer accounts linking with e-business affiliate partners. Others need SAML and/or Liberty for SSO with benefits suppliers, outsource partners or internal applications. While use cases today focus on browser-based SSO, federated identity also will become part of Web services deployments, providing back-end process integration and transactions in the longer term.

In an exciting twist, many business managers see more than just ROI; they see federated identity enabling competitive advantage. Demand is coming bottom up from business units and top down from IT infrastructure organizations.

But expect a few hardships. Many use cases require technically complex user name mapping or attribute information, and you have to specify and test the way the protocols will operate. Some vendor products are not as interoperable as their marketing literature would imply. But the most difficult issues are non-technical, such as getting executive buy-in, establishing agreements with partners, or passing legal reviews and risk assessments for this new way of doing business.

Early adopter pioneering challenges notwithstanding, federated identity is worth the effort. And fortunately, today’s products are increasingly functional, and with vendors such as BEA Systems, IBM, SAP and eventually Microsoft jumping aboard the SAML train, there’s a realistic expectation that stronger, identity-based security mechanisms will become native to platforms, tools and today’s add-on security middleware. I haven’t seen anything this exciting in this area since Multi-purpose Internet Mail Extensions began spreading like a prairie fire across the world of Internet mail in the early 1990s.