Federated ID: An Idea Whose Time Never Came?

A few years ago, advocates for federated ID management said the technology would be in mainstream use by now. That prediction hasn't come to pass for a variety of reasons

In 2005 advocates of federated identity management were almost giddy when the Organization for the Advancement of Structured Information Standards (OASIS) adopted version 2.0 of the Security Assertion Markup Language (SAML).

Federated ID lets business partners automatically access each other's networks without requiring piles of passwords. Advocates for the technology said SAML 2.0 would make it easier for companies to federate with one another because it eased compatibility problems that kept so many organizations from deploying the technology.

The Liberty Alliance - a global consortium of vendors and end users working to develop open federated identity standards for Web services - began testing tools that incorporate SAML 2.0 soon after the standard's adoption, and vendors lined up for the chance to get the alliance's seal of approval. Atlanta-based Security Incite President and Principal Analyst Mike Rothman wrote a column about the market potential for federated ID a year later, saying that while the technology wasn't new, the more mature SAML 2.0 standard and the advent of both stand-alone and integrated federation capabilities within identity management products was making it more feasible for companies to "dip their toes into the federation waters."

Fast forward to 2008. More companies have indeed dipped a toe into the federated identity management waters. But the adoption rate remains far below where expectations were three years ago, industry experts say.

So what's the problem? For companies short on time, manpower and money - a description that fits many organizations caught in the current economic slowdown - federated ID remains something many would like to adopt if not for the costs and logistical nightmares involved.

"Federated projects are often huge undertakings on both a contracting side, as well as from a technical controls perspective, and that makes it a bear for most organizations," says Mike Murray, a former enterprise security architect at Liberty Mutual Insurance Group and former director of vulnerability and exposure research at nCircle Network Security. "It's hindering the adoption that many people thought would happen quickly at the beginning."

Murray, now a managing partner at Chicago-based consultancy Michael Murray and Associates LLC, says he does know of a few places where federated ID is getting deployed in a big way, particularly in the financial and government sectors. But it's not the big deal that it was made out to be a few years ago.

Henry Bagdasarian, a Los Angeles-based risk management specialist and former corporate information security/audit director at Health Net and Fox Entertainment Group, says users are ready for a single sign-on system allowing them to access multiple systems across their network and external domains, but they are not yet ready to assume the cost or establish trust relationships with external parties.

"Companies have a hard time implementing single sign-on within their own networks for their employees," he says. "The fact is most environments have too many distributed systems." He says it's hard enough to manage one security system. Bring in numerous systems and many more users across a wide area of internal and external domains and the challenge is simply too rich for many companies.

"In short, users love it but it is challenging and costly to build relationships and connect various domain systems through technical standardization," he adds. "If successful, independent reviews of third-party system security such as SAS 70 will become extremely important."

Despite these factors, federated ID vendors are keeping the faith.

True, adoption may not be at the blockbuster levels hoped for three years ago, but the deployments that have happened have been very successful, according to Vatsal Sonecha, vice president of product management and business development at Tricipher Inc. The vendor's myOneLogin suite of on-demand services has been a particularly popular product, impressing the likes of Mike Murray.

He admits federated ID is a tough nut for many companies to crack, especially when it comes to the complexities of getting it deployed across different organizations. His company's approach has been to solve the problem by making it an "in-the-cloud" service that doesn't rely on as much infrastructure. He predicts that approach will lead to a significant spike in deployments by this time next year.

For now, he says, adoption is most robust in the healthcare arena, both on the enterprise side and the patient and payment portal sides.

"We are talking to several large partners who really want to solve this issue," he said, noting that interest has come from sectors outside of healthcare as well. "Point-to-point federation isn't really working, hence the in-the-cloud approach, and I think that will lead to more adoption."

New! Download the State of Cybercrime 2017 report