Federation takes identity to the next level

Ogilvy & Mather links its identity systems to those of its clients

When clients of advertising giant Ogilvy & Mather want to collaborate on budgets or watch rough cuts of commercials, they’re likely to log on to the company’s network and do it online. The process speeds delivery and saves on travel costs, but it can also add a big security and regulatory burden.

Before deploying IDM (identity management), Ogilvy found itself managing user names and passwords for more than 23,000 external users, in addition to the company’s 13,000 employees, says Andres Andreu, technical director of Web engineering and applications for the firm. The solution Ogilvy turned to was identity federation.

In September 2004, Ogilvy rolled out IBM TFIM (Tivoli Federated Identity Manager) to manage both internal and external access to its network. TFIM helped to relieve the management burden from Ogilvy’s IT staff by allowing clients to maintain their own user directories. Using federation, client networks seamlessly exchange identity data with Ogilvy’s, based on one of three major identity federation standards.

Andreu says Ogilvy is currently federated with three big clients, representing roughly half of the agency’s external users. He expects nearly all of its clients to join the federated network eventually.

Using a federated access system also reduces Ogilvy’s burden under Sarbanes-Oxley. “If we were still storing data for those three clients, we’d have to become part of their compliance process,” says Andreu. “Now we only have to make sure the transfer mechanism for credentials is secure.”

Still, if implementing identity internally is not a trivial task, taking the next step by moving to a federated system is even more challenging. Any enterprise hoping to bring more than one or two partners into federation would have to embrace all three major standards -- Liberty Alliance, Microsoft and IBM’s Web Services (WS-*) architecture, and SAML (Security Assertion Markup Language), formulated by OASIS.

“Companies are accepting that they will have to deal with a mix of standards,” says IDC analyst Sally Hudson. “Most major vendors can accommodate all three of the standards at some level.”

Mike Neuenschwander, research director for the Burton Group, says most IDM vendors appear to be converging on SAML 2.0 for single sign-on, but provisioning and Web services standards remain less well defined. He’s quick to point out, however, that when making the leap to identity federation, the biggest challenges lie in a different kind of interoperability.

“The real barriers aren’t technological,” Neuenschwander says. “They’re working out the agreements and legal contracts to set up trust relationships across the organization. That tends to take more time than deploying the technology.”

Copyright © 2005 IDG Communications, Inc.

How to choose a low-code development platform