Beyond the technical standards that are critical for interoperability, other important policies govern how the business uses, controls, and protects identity data. Your federation policies should cover how your organization establishes trust in partners, what reviews are necessary for what kinds of projects, and how data will be protected.

How do you get business units to play along? Hewlett-Packard, one of the world’s largest companies, has succeeded in creating a federated identity system that contains more than 21 million separate identities and is used by more than 200 different applications that are managed by multiple business units.

“We use carrots and sticks,” says Anjali Anagol-Subbarao, HP’s chief architect for identity management. “We’ve shown that using the federated identity management system is about one-third the cost of creating a new system for an application. Since each project has to justify itself on ROI, project managers want to use the federated system.” For those who don’t, policies from the CIO’s office provide the stick necessary to drive the desired behavior.

Anagol-Subbarao also points out the value of outside consultants and analysts. “Getting outside help can validate the system and confirms that the approach is sound,” she says.

Where to begin

Many of the companies seeing success in identity federation have one thing in common: They’ve created a COE (center of excellence) in the CIO’s office, a federated identity management council, or both. A COE can help disseminate information, make architectural choices, and educate projects about how federated identity is used in your company. The management council draws business units into the process -- an important step, as most federation governance issues are rooted in the business.

HP employs an architecture council to develop its federation methodology and strategy, according to Anagol-Subbarao. The council employs use cases to create companywide principles that answer questions like: How will users be linked? Is personalization important? How do we provide for auditability?

“These questions have architectural ramifications. We’ve come up with a strategy for what is important to HP as a business,” Anagol-Subbarao says.

Internal SSO (single sign-on) projects are great places to start because they provide a place to choose standards and projects without the pressure from outside partners. Plus, they’re likely to show good short-term ROI. The trick is to make sure your SSO projects don’t become calls for centralized directories, but rather employ federation technologies to do the job.

Many of the applications that you retrofit for SSO will be Web-enabled. “Start with simple browser-based access to applications inside the corporation,” says Timo Skytta, director of Web services at Nokia. Browser-based applications are the low hanging fruit of federation because off-the-shelf identity products from vendors including Oracle, RSA, Novell, and others can often be retrofitted into the server side code with little fuss.

Federation projects within your organization have another big advantage: They force you to clean up your infrastructure. GM’s Jackson say’s it’s the first step, and you can scale from there.

“If you go back five years, we had an uncontrolled number of identity sources, user IDs, and passwords; we even had multiples in single environments,” Jackson says. “We had multiple directories in every flavor you can imagine. Over the last few years, we’ve consolidated directories and the way we do authentication. We felt we couldn’t move forward with more sophisticated identity projects until we did that.”

After you’ve got a few internal federations under your belt, it’s time to move outside the firewall. Partnering with someone who’s already worked through complex federation problems is a great way to learn. Federating with an existing business partner is preferable because you can leverage agreements that you already have.

Interestingly, one of the biggest challenges in federated identity governance is often getting companies to talk to one another. “It’s hard to get people to come out and document what they’ve done because it’s a business benefit for them -- the second customer integration [is] much easier,” says Nokia’s Skytta. The irony is that federation requires sharing solutions. “There are plenty of questions, and no one has all the answers yet.”

-- Phillip J. Windley is a contributing editor at InfoWorld, an associate professor of computer science at Brigham Young University, and author of Digital Identity (O’Reilly, 2005).