Identity's federated future

Walk up to an ATM anywhere in the world, insert your bank card, punch in your PIN, and within minutes you can withdraw local currency from your own account, no matter where you normally bank. Aside from a possible service charge, the transaction is seamless. It’s the same as if you were at a branch in your hometown.

That’s a federated system in action. Out of mutual self-interest, using simple authentication at the point of transaction, participating banks have agreed to trust one another to supply funds from their respective vaults. The banks remain separate entities, but the flow of transactions is shared, creating a federated network.

Today, major IT vendors and their customers are looking to this same model as a way to enable the next generation of integrated network services for enterprise employees, business partners, and consumers. As open federated identity standards mature, IT will be able to deploy sophisticated access controls and to secure multiparty transactions across all types of organizations. And there is growing agreement that this vision of the future hinges on the fundamental nature of digital identity.

“When we started this three years ago, identity was seen as just another attribute, just another enabler, for an otherwise bigger problem” of sharing  data across companies, says Simon Nicholson, chair of the business and marketing expert group of the Liberty Alliance, an organization that promotes federated identity standards and technologies. “I think that what happened is that, the more people dug into what identity does for them, the more they realized that nothing is going to happen until they resolve the identity issue.”

For Nicholson and others, that issue involves questions as to where user identity should actually reside, the role of technology versus the role of trust, and how open standards can ever hope to rationalize the matrix of permissions required to share user information across an endless diversity of systems and organizations. The long-range payoff of federating identity is radical simplicity, so that both business users and consumers can engage in multi-party activities as easily as they use a single application.

Standards set the stage

According to Burton Group, identity federation combines SSO (single sign-on), identity mapping and account linking, directory services, authorization, and management. Getting all these components to work across distributed, heterogeneous environments is a tall order. The idea won’t become mainstream without broadly supported standards -- building blocks for federated identity that the industry has been working furiously to establish.

The most successful building block to date is SAML, an XML framework for exchanging security information between servers. Developed within the OASIS organization, SAML 1.1 defines protocols for SSO, delegated administration, and policy management. The Liberty Alliance has built on SAML to produce the ID-FF (Identity Federation Framework), which adds account linking, single sign-out, and improved facilities for establishing trust between organizations. In turn, the forthcoming SAML 2.0 specification will incorporate much of the Liberty Alliance’s work in an effort to become a unified standard for identity federation.

To encourage industry adoption, the Liberty Alliance has been proactive in certifying products both for technical compliance with its standards and for real-world interoperability.