The follies of failing to federate identity

A workable plan for federating identity starts with business policies

Many years and several jobs ago, I worked for a company that shall remain nameless. The separation was amicable, and the day I turned in my key and ID card, the company deactivated my e-mail and network access -- standard operating procedure.

Strangely enough, my phone and voice mail remained active. I only discovered this oversight six months later, when a business acquaintance ran into me on the street and demanded to know why I never returned her calls. Sure enough, I dialed in to my old voice mail and picked up a pile of messages.

According to Contributing Editor Phillip J. Windley, author of “The Hidden Challenges of Federated Identity,” stories like mine are commonplace. That’s because the task of federating identity -- using a decentralized, distributed system to authenticate a single identity across systems and boundaries -- is a bear.

Surprisingly, though, the technology itself isn’t all that mysterious. “You have your stuff, your partner has his; you both speak SAML, and it’s pretty much done,” says Windley, who literally wrote the book on the subject, Digital Identity, published last year by O’Reilly. “Most of the single stacks, from the big vendors, know how to talk to one another.” The trick, then, is “defining layers 8 and 9 -- economics and politics.”

And there’s the rub. Federated identity presses just about every IT hot button, from compliance, security, and privacy to outsourcing -- because you may be relying on outside partners to vouch for someone’s identity. Given the sensitive nature of identity information and the very real possibilities of fraud, financial damage, or privacy violations, turf wars and legal liability questions are inevitable.

To deal with those issues, Windley suggests establishing an interoperability framework, a flexible policy document that lists pertinent agreements, standards, and protocols. Just as important, organizations should create centers of excellence to focus on federated identity. “Once you’ve got a center of excellence in place,” Windley says, “you can appoint a point person and create policies that stipulate who makes decisions about exceptions.”

Without those policies, chaos is inevitable. Most companies have multiple identity sources and groups that are not used to working together. And that complexity increases when organizations federate identity information with partners and other parties.

Consider my earlier voice-mail scenario. The phone folks and network folks worked in separate departments that didn’t collaborate often, much less communicate, which means they hadn’t established a federated credential revocation policy.

The company’s risk, in this case, was negligible: I had no interest in abusing its phone system. Then again, if anyone needs free voice mail …