Federated Identity Management Still Faces Logistic Hurdles

Years after it was hailed as the next big thing, federated identity management hasn't been widely adopted because both sides don't benefit equally and liability remains a concern.

In 2005, advocates of federated identity management were almost giddy when the Organization for the Advancement of Structured Information Standards (OASIS) adopted version 2.0 of the Security Assertion Markup Language (SAML).

Federated ID lets business partners automatically access each other's networks without requiring piles of passwords. Advocates for the technology said SAML 2.0 would make it easier for companies to form federations because it eased compatibility problems that kept many organizations from deploying the technology.

The Liberty Alliance -- a global consortium of vendors and end users working to develop open federated identity standards for Web services -- began testing tools that incorporate SAML 2.0 soon after the standard's adoption, and vendors lined up for the chance to get the alliance's seal of approval. Around that time, Mike Rothman -- then president and principal analyst at Security Incite, now analyst and president at Securosis -- wrote a column about the market potential for federated ID, saying that while the technology wasn't new, the more mature SAML 2.0 standard and the advent of both standalone and integrated federation capabilities within identity-management products made it more feasible for companies to "dip their toes into the federation waters.

Fast forward to 2012. More companies have indeed dipped a toe into those waters. But has the technology finally made it to prime time?

Not really, according to two academic scholars specializing in the economics of information security technology. Many organizations still balk at the liability concerns and lack of economic balance.

In a paper called "Economic Tussles in Federated Identity Management," authors Susan Landau, a visiting computer science scholar at Harvard University, and Tyler Moore, a visiting assistant professor at Wellesley College, wrote that while some federated ID management systems have experienced modest successincluding Shibboleth in the higher education sector, SAML in the enterprise sector, and the National Institutes of Health's programthe technology still hasn't caught on in the broader market.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.