For companies in search of a secure way to
authenticate users and prevent online thievery in an
increasingly virtual and decentralised business climate, federated
identity management looks great on paper. Unfortunately, experts
say, a number of obstacles continue to keep the technology from
going mainstream.Two years ago, advocates predicted the
adoption of federation would accelerate
rapidly, thanks to the advancement of
Security Assertion Markup Language (SAML)
2.0. SAML 2.0 passed a series of interoperability tests
early in 2005 and was approved as a formal standard by the
Organisation for the Advancement of Structured Information
Standards (OASIS). The
Liberty Alliance - a global consortium of vendors and end users
working to develop open federated identity standards for Web
services - started testing tools that incorporate SAML 2.0 soon
after, and vendors have lined up for the chance to get the
alliance's seal of approval.
But two years have passed, and significant barriers continue to
impede the technology's adoption, said Mike Neuenschwander, an
analyst with Burton Group.
"Over the last few years, federation has been the subject of
both hype and criticism," said Neuenschwander, who spent four
months conducting more than 40 interviews with IT architects
working on identity federation projects. "Federation apologists
extol the technology's claims-based model, loose coupling, and
trust relationships and predict its impending ubiquity. Critics
counter that the complex mix of standards, liability, and business
issues ensure the scheme will never get off the ground. The truth
lies somewhere in between."
Federation advocates say the technology allows a richer
integration of partners, a faster and cheaper coupling through
standards; a simplified customer experience; deeper service
offerings and better protection of customer information. While
praising the concept, skeptics have deemed the technology too
immature for widespread use.
Neuenschwander said he has come across many enterprises who have
successfully taken on federation projects. Some are still in the
early stages, but large federations can have more than 50 partner
connections and continue to grow, he said, adding that these
organisations have found that identity federation can reduce costs
and improve security.
But the success of federation falls far short of visionaries'
aspirations, he said, adding that no new business models have
miraculously sprung into existence thanks to SAML or other
standards, and the term federation rarely even shows up in
customers' business cases.
"The coordination that federation requires among business
partners significantly dampens the spread of the technology, making
its ubiquity - even theoretically - impossible," Neuenschwander
wrote in a recent report. "Some federation projects get scrapped
for technical and non-technical reasons. And dynamic federations
and federated marketplaces remain in the realm of science fiction
fantasy."
In the final analysis, he said, federation is a "fantastic"
concept, but in real-world use the standards, technologies, and
products created under its banner are at once too broadly featured
and ill suited for practical widespread deployment. "The world
isn't as it is in developers' dreams," he wrote. "Businesses have
inescapable constraints and markets are brutally pragmatic."
Neuenschwander said his message is aimed at two audiences:
enterprises looking for a way to make federation work, and vendors
who need to craft a vision and game plan for federation technology
that doesn't descend into unwarranted hype.
"This is valuable technology for certain cases but it is not the
Holy Grail and requires a certain degree of funding and project
management," he said. "If you want single sign-on this can make a
lot of sense and, if done correctly, can save a lot of money." But
vendors must be careful not to oversell the benefits. "There is
more to come," he said. "There needs to be a next generation of
effort. There's a way to go before this is ready for prime
time."
Doug Moench, a senior consultant at Burton Group, sees the same
obstacles. At the conference he'll present some early-adopter case
studies to show companies the way forward. In one of his reports,
Moench said there are indeed benefits that make federation a
concept worth fighting for.
"Federated identity, the exchange of information within and
between enterprises, provides authentication and authorisation
capabilities," he wrote. "Federation enables loosely coupled
identity management across autonomous business domains and extends
the reach of applications. It is now becoming a strategic
requirement for most enterprise infrastructures and adoption
continues in multiple industries."
He said organisations investing in federation are still seen as
early adopters. Because the field is still developing, he said the
challenges as well as the potential benefits can be significant. He
hopes his workshop will provide insight into the results of early
implementations.
Despite the current difficulties, he does predict that the next
generation of Web services will include federated identity and that
vendors and would-be adopters alike must "plan carefully to ensure
[the] success of federated identity management projects."
For those looking to hear from a company that has successfully
implemented federation identity management, John Tolbert,
federation product manager and authorisation systems architect for
Boeing, will give a presentation on the methods his company used to
test and design a federated identity management infrastructure that
will scale as more companies and organisations adopt the
technology.
Boeing's initial federation efforts addressed the company's
account management costs, and according to Tolbert, Boeing saved
money by standardising and eliminating multiple accounts and
passwords per user.
Federated identity management has also allowed the company to
easily integrate with its external business partners. "It has
eliminated the need for users to remember separate user
IDs/passwords for various service providers," Tolbert said in an
email, adding, "By using federation-enabled links, developers are
able to build company-branded portals that have a good look and
feel."
Still, as the Burton analysts have noted, Tolbert acknowledges
that it has taken time for other organisations to deploy
federation.
"We have found that the technology hasn't been as widely adopted
as rapidly as we anticipated," he said.