“These questions have architectural ramifications. We’ve come up with a strategy for what is important to HP as a business,” Anagol-Subbarao says.
Internal SSO (single sign-on) projects are great places to start because they provide a place to choose standards and projects without the pressure from outside partners. Plus, they’re likely to show good short-term ROI. The trick is to make sure your SSO projects don’t become calls for centralized directories, but rather employ federation technologies to do the job.
Many of the applications that you retrofit for SSO will be Web-enabled. “Start with simple browser-based access to applications inside the corporation,” says Timo Skytta, director of Web services at Nokia. Browser-based applications are the low hanging fruit of federation because off-the-shelf identity products from vendors including Oracle, RSA, Novell, and others can often be retrofitted into the server side code with little fuss.
Federation projects within your organization have another big advantage: They force you to clean up your infrastructure. GM’s Jackson say’s it’s the first step, and you can scale from there.
“If you go back five years, we had an uncontrolled number of identity sources, user IDs, and passwords; we even had multiples in single environments,” Jackson says. “We had multiple directories in every flavor you can imagine. Over the last few years, we’ve consolidated directories and the way we do authentication. We felt we couldn’t move forward with more sophisticated identity projects until we did that.”
After you’ve got a few internal federations under your belt, it’s time to move outside the firewall. Partnering with someone who’s already worked through complex federation problems is a great way to learn. Federating with an existing business partner is preferable because you can leverage agreements that you already have.
Interestingly, one of the biggest challenges in federated identity governance is often getting companies to talk to one another. “It’s hard to get people to come out and document what they’ve done because it’s a business benefit for them -- the second customer integration [is] much easier,” says Nokia’s Skytta. The irony is that federation requires sharing solutions. “There are plenty of questions, and no one has all the answers yet.”
-- Phillip J. Windley is a contributing editor at InfoWorld, an associate professor of computer science at Brigham Young University, and author of Digital Identity (O’Reilly, 2005).