Federated ID: Still not ready for prime time

Analysts outline obstacles that keep federation technology from going mainstream, despite its potential to solve big business security problems.

For companies in search of a secure way to authenticate users and prevent online thievery in an increasingly virtual and decentralised business climate, federated identity management looks great on paper. Unfortunately, experts say, a number of obstacles continue to keep the technology from going mainstream.

Two years ago, advocates predicted the adoption of federation would accelerate rapidly, thanks to the advancement of Security Assertion Markup Language (SAML) 2.0. SAML 2.0 passed a series of interoperability tests early in 2005 and was approved as a formal standard by the Organisation for the Advancement of Structured Information Standards (OASIS). The Liberty Alliance - a global consortium of vendors and end users working to develop open federated identity standards for Web services - started testing tools that incorporate SAML 2.0 soon after, and vendors have lined up for the chance to get the alliance's seal of approval.

But two years have passed, and significant barriers continue to impede the technology's adoption, said Mike Neuenschwander, an analyst with Burton Group.

"Over the last few years, federation has been the subject of both hype and criticism," said Neuenschwander, who spent four months conducting more than 40 interviews with IT architects working on identity federation projects. "Federation apologists extol the technology's claims-based model, loose coupling, and trust relationships and predict its impending ubiquity. Critics counter that the complex mix of standards, liability, and business issues ensure the scheme will never get off the ground. The truth lies somewhere in between."

Federation advocates say the technology allows a richer integration of partners, a faster and cheaper coupling through standards; a simplified customer experience; deeper service offerings and better protection of customer information. While praising the concept, skeptics have deemed the technology too immature for widespread use.

For more information

See more of our special news coverage of Burton Group Catalyst Conference 2007.

What is federated identity management? Expert Joel Dubin has the answer.

Learn how to limit the risk and liability associated with federated identities.
Neuenschwander said he has come across many enterprises who have successfully taken on federation projects. Some are still in the early stages, but large federations can have more than 50 partner connections and continue to grow, he said, adding that these organisations have found that identity federation can reduce costs and improve security.

But the success of federation falls far short of visionaries' aspirations, he said, adding that no new business models have miraculously sprung into existence thanks to SAML or other standards, and the term federation rarely even shows up in customers' business cases.

"The coordination that federation requires among business partners significantly dampens the spread of the technology, making its ubiquity - even theoretically - impossible," Neuenschwander wrote in a recent report. "Some federation projects get scrapped for technical and non-technical reasons. And dynamic federations and federated marketplaces remain in the realm of science fiction fantasy."

In the final analysis, he said, federation is a "fantastic" concept, but in real-world use the standards, technologies, and products created under its banner are at once too broadly featured and ill suited for practical widespread deployment. "The world isn't as it is in developers' dreams," he wrote. "Businesses have inescapable constraints and markets are brutally pragmatic."

Neuenschwander said his message is aimed at two audiences: enterprises looking for a way to make federation work, and vendors who need to craft a vision and game plan for federation technology that doesn't descend into unwarranted hype.

"This is valuable technology for certain cases but it is not the Holy Grail and requires a certain degree of funding and project management," he said. "If you want single sign-on this can make a lot of sense and, if done correctly, can save a lot of money." But vendors must be careful not to oversell the benefits. "There is more to come," he said. "There needs to be a next generation of effort. There's a way to go before this is ready for prime time."

Doug Moench, a senior consultant at Burton Group, sees the same obstacles. At the conference he'll present some early-adopter case studies to show companies the way forward. In one of his reports, Moench said there are indeed benefits that make federation a concept worth fighting for.

"Federated identity, the exchange of information within and between enterprises, provides authentication and authorisation capabilities," he wrote. "Federation enables loosely coupled identity management across autonomous business domains and extends the reach of applications. It is now becoming a strategic requirement for most enterprise infrastructures and adoption continues in multiple industries."

He said organisations investing in federation are still seen as early adopters. Because the field is still developing, he said the challenges as well as the potential benefits can be significant. He hopes his workshop will provide insight into the results of early implementations.

Despite the current difficulties, he does predict that the next generation of Web services will include federated identity and that vendors and would-be adopters alike must "plan carefully to ensure [the] success of federated identity management projects."

For those looking to hear from a company that has successfully implemented federation identity management, John Tolbert, federation product manager and authorisation systems architect for Boeing, will give a presentation on the methods his company used to test and design a federated identity management infrastructure that will scale as more companies and organisations adopt the technology.

Boeing's initial federation efforts addressed the company's account management costs, and according to Tolbert, Boeing saved money by standardising and eliminating multiple accounts and passwords per user.

Federated identity management has also allowed the company to easily integrate with its external business partners. "It has eliminated the need for users to remember separate user IDs/passwords for various service providers," Tolbert said in an email, adding, "By using federation-enabled links, developers are able to build company-branded portals that have a good look and feel."

Still, as the Burton analysts have noted, Tolbert acknowledges that it has taken time for other organisations to deploy federation.

"We have found that the technology hasn't been as widely adopted as rapidly as we anticipated," he said.

Read more on Operating systems software