Federated ID: Still not ready for prime time

By Bill Brenner, Senior News Writer 21 Jun 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Two years ago, advocates predicted the adoption of federation would accelerate rapidly, thanks to the advancement of Security Assertion Markup Language (SAML) 2.0. SAML 2.0 passed a series of interoperability tests early in 2005 and was approved as a formal standard by the Organization for the Advancement of Structured Information Standards (OASIS). The Liberty Alliance -- a global consortium of vendors and end users working to develop open federated identity standards for Web services -- started testing tools that incorporate SAML 2.0 soon after, and vendors have lined up for the chance to get the alliance's seal of approval.

But two years have passed, and significant barriers continue to impede the technology's adoption, said Mike Neuenschwander, an analyst with Midvale, Utah-based Burton Group. He'll outline the benefits and obstacles at the Burton Group Catalyst Conference next week in San Francisco.

"Over the last few years, federation has been the subject of both hype and criticism," said Neuenschwander, who spent four months conducting more than 40 interviews with IT architects working on identity federation projects. "Federation apologists extol the technology's claims-based model, loose coupling, and trust relationships and predict its impending ubiquity. Critics counter that the complex mix of standards, liability, and business issues ensure the scheme will never get off the ground. The truth lies somewhere in between."

Federation advocates say the technology allows a richer integration of partners, a faster and cheaper coupling through standards; a simplified customer experience; deeper service offerings and better protection of customer information. While praising the concept, skeptics have deemed the technology too immature for widespread use.

For more information See more of our special news coverage of Burton Group Catalyst Conference 2007. What is federated identity management? Expert Joel Dubin has the answer. Learn how to limit the risk and liability associated with federated identities.

Neuenschwander said he has come across many enterprises who have successfully taken on federation projects. Some are still in the early stages, but large federations can have more than 50 partner connections and continue to grow, he said, adding that these organizations have found that identity federation can reduce costs and improve security.

But the success of federation falls far short of visionaries' aspirations, he said, adding that no new business models have miraculously sprung into existence thanks to SAML or other standards, and the term federation rarely even shows up in customers' business cases.

"The coordination that federation requires among business partners significantly dampens the spread of the technology, making its ubiquity -- even theoretically -- impossible," Neuenschwander wrote in a recent report. "Some federation projects get scrapped for technical and non-technical reasons. And dynamic federations and federated marketplaces remain in the realm of science fiction fantasy."

In the final analysis, he said, federation is a "fantastic" concept, but in real-world use the standards, technologies, and products created under its banner are at once too broadly featured and ill suited for practical widespread deployment. "The world isn't as it is in developers' dreams," he wrote. "Businesses have inescapable constraints and markets are brutally pragmatic."

Neuenschwander said his message is aimed at two audiences: enterprises looking for a way to make federation work, and vendors who need to craft a vision and game plan for federation technology that doesn't descend into unwarranted hype.

"This is valuable technology for certain cases but it is not the Holy Grail and requires a certain degree of funding and project management," he said. "If you want single sign-on this can make a lot of sense and, if done correctly, can save a lot of money." But vendors must be careful not to oversell the benefits. "There is more to come," he said. "There needs to be a next generation of effort. There's a way to go before this is ready for prime time."

Doug Moench, a senior consultant at Burton Group, sees the same obstacles. At the conference he'll present some early-adopter case studies to show companies the way forward. In one of his reports, Moench said there are indeed benefits that make federation a concept worth fighting for.

"Federated identity, the exchange of information within and between enterprises, provides authentication and authorization capabilities," he wrote. "Federation enables loosely coupled identity management across autonomous business domains and extends the reach of applications. It is now becoming a strategic requirement for most enterprise infrastructures and adoption continues in multiple industries."

He said organizations investing in federation are still seen as early adopters. Because the field is still developing, he said the challenges as well as the potential benefits can be significant. He hopes his workshop will provide insight into the results of early implementations.

Despite the current difficulties, he does predict that the next generation of Web services will include federated identity and that vendors and would-be adopters alike must "plan carefully to ensure [the] success of federated identity management projects."

For those looking to hear from a company that has successfully implemented federation identity management, John Tolbert, federation product manager and authorization systems architect for Boeing, will give a presentation on the methods his company used to test and design a federated identity management infrastructure that will scale as more companies and organizations adopt the technology.

Boeing's initial federation efforts addressed the company's account management costs, and according to Tolbert, Boeing saved money by standardizing and eliminating multiple accounts and passwords per user.

Federated identity management has also allowed the company to easily integrate with its external business partners. "It has eliminated the need for users to remember separate user IDs/passwords for various service providers," Tolbert said in an email, adding, "By using federation-enabled links, developers are able to build company-branded portals that have a good look and feel."

Still, as the Burton analysts have noted, Tolbert acknowledges that it has taken time for other organizations to deploy federation.

"We have found that the technology hasn't been as widely adopted as rapidly as we anticipated," he said.

Tags: User IDs and passwords, privileges and federation,  Secure user and consumer authentication methods,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT User IDs and passwords, privileges and federation Symark acquires BeyondTrust How to streamline role-based access control Audit requirements drive demand for privileged account management Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking IBM USB banking device stops keyloggers, malware Privileged password management steps to success Best practices in managing privileged access Secure user and consumer authentication methods Gartner's Avivah Litan on the online banking fraud surge Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary