While there is high interest in identity federation, the technology is still in flux and will likely be more expensive and time-consuming to implement immediately rather than three years from now, an identity and access management expert said Thursday.
Roy Wagner, a research vice president with Gartner, told delegates at the company's IT Security Summit 2005 in London that identity federation -- the term for linking identities of users across multiple accounts without storing the information centrally -- is mostly being used now for single sign-ons across different domains.
An example of that usage is a person who accesses their retirement plan information stored by a different application provider, Wagner said. The advantages of identity federation include managing few user names and passwords, fewer password resets, and user convenience. So far, the technology has worked "pretty flawlessly," Wagner said.
But businesses should make a strong case internally to justify investing now, he said.
Most of the current identity federations are based on Web services protocol developed by Liberty Alliance, a consortium of companies working on identity federation, and the Organization for the Advancement of Structure Information Standards. Both have worked together to develop SAML (Security Assertion Markup Language).
Another standard -- WS-Federation, whose backers include Microsoft -- is more general and more flexible but has not been offered to a standards body, Wagner said. Wagner said he recommends using SAML 2.0, although there have been complaints that the protocols are too specific.
Wagner predicts there may be some convergence on a standard, but "at this point it is not likely to happen in the near future," he said.
The next step, which the technology will catch up soon to, is federated provisioning -- combining identities held by a large company such a telecom but stored in several countries. "We expect most of the value to come from this in the near future," Wagner said.
Other obstacles include how two companies that want to federate will merge their information, Wagner said. "You may have some issues trying to map those identities back and forth," Wagner said.