Federated ID: An Idea Whose Time Never Came?
A few years ago, advocates for federated ID management said the technology would be in mainstream use by now. That prediction hasn't come to pass for a variety of reasons
By Bill Brenner , Senior Editor
July 31, 2008 —
In 2005 advocates of federated identity management were almost giddy when the Organization for the Advancement of Structured Information Standards (OASIS) adopted version 2.0 of the Security Assertion Markup Language (SAML).
Federated ID lets business partners automatically access each other's networks without requiring piles of passwords. Advocates for the technology said SAML 2.0 would make it easier for companies to federate with one another because it eased compatibility problems that kept so many organizations from deploying the technology.
The Liberty Alliance - a global consortium of vendors and end users working to develop open federated identity standards for Web services - began testing tools that incorporate SAML 2.0 soon after the standard's adoption, and vendors lined up for the chance to get the alliance's seal of approval. Atlanta-based Security Incite President and Principal Analyst Mike Rothman wrote a column about the market potential for federated ID a year later, saying that while the technology wasn't new, the more mature SAML 2.0 standard and the advent of both stand-alone and integrated federation capabilities within identity management products was making it more feasible for companies to "dip their toes into the federation waters."
Fast forward to 2008. More companies have indeed dipped a toe into the federated identity management waters. But the adoption rate remains far below where expectations were three years ago, industry experts say.
So what's the problem? For companies short on time, manpower and money - a description that fits many organizations caught in the current economic slowdown - federated ID remains something many would like to adopt if not for the costs and logistical nightmares involved.
"Federated projects are often huge undertakings on both a contracting side, as well as from a technical controls perspective, and that makes it a bear for most organizations," says Mike Murray, a former enterprise security architect at Liberty Mutual Insurance Group and former director of vulnerability and exposure research at nCircle Network Security. "It's hindering the adoption that many people thought would happen quickly at the beginning."
Murray, now a managing partner at Chicago-based consultancy Michael Murray and Associates LLC, says he does know of a few places where federated ID is getting deployed in a big way, particularly in the financial and government sectors. But it's not the big deal that it was made out to be a few years ago.
Henry Bagdasarian, a Los Angeles-based risk management specialist and former corporate information security/audit director at Health Net and Fox Entertainment Group, says users are ready for a single sign-on system allowing them to access multiple systems across their network and external domains, but they are not yet ready to assume the cost or establish trust relationships with external parties.