The ultimate goal of federation is to enable decentralized and distributed identity systems to interoperate in a way that provides all the necessary features for supporting modern business practices. The Internet is the best example of an interoperable, distributed system; protocol and the policies that govern network interactions are the pixie dust that makes it all possible. Similarly, making federated identity work for your organization requires that you pay attention to protocol and policy.
It’s important that you choose which of the competing federation standards you’ll use and which you won’t. Record your choices in a special policy called an IF (interoperability framework). An IF is nothing more than a list that explains what choices the organization has made. It categorizes standards, requiring some and encouraging others. It can also say which standards are sustained but shouldn’t be used in new deployments.
Because federation will include outside partners who might have made different choices, an IF should have flexibility built in, including an easy way to get exceptions. A clear benefit of an IF is that it ensures that other policies don’t reference specific standards, which could cause them to get quickly out of date when the standards change.
Beyond the technical standards that are critical for interoperability, other important policies govern how the business uses, controls, and protects identity data. Your federation policies should cover how your organization establishes trust in partners, what reviews are necessary for what kinds of projects, and how data will be protected.
How do you get business units to play along? Hewlett-Packard, one of the world’s largest companies, has succeeded in creating a federated identity system that contains more than 21 million separate identities and is used by more than 200 different applications that are managed by multiple business units.
“We use carrots and sticks,” says Anjali Anagol-Subbarao, HP’s chief architect for identity management. “We’ve shown that using the federated identity management system is about one-third the cost of creating a new system for an application. Since each project has to justify itself on ROI, project managers want to use the federated system.” For those who don’t, policies from the CIO’s office provide the stick necessary to drive the desired behavior.
Anagol-Subbarao also points out the value of outside consultants and analysts. “Getting outside help can validate the system and confirms that the approach is sound,” she says.
Where to begin
Many of the companies seeing success in identity federation have one thing in common: They’ve created a COE (center of excellence) in the CIO’s office, a federated identity management council, or both. A COE can help disseminate information, make architectural choices, and educate projects about how federated identity is used in your company. The management council draws business units into the process -- an important step, as most federation governance issues are rooted in the business.
HP employs an architecture council to develop its federation methodology and strategy, according to Anagol-Subbarao. The council employs use cases to create companywide principles that answer questions like: How will users be linked? Is personalization important? How do we provide for auditability?