Federated Identity Management: Flying Duo

In 2002, Boeing rolled out an extranet application before federated identity management was a viable alternative. The application, dubbed MyBoeingFleet, allows mechanics at its airline customers to access maintenance and repair information over the Internet, instead of waiting weeks for thick manuals. But there was one problem: They still had to remember a Boeing-specific user name and password to do so.

“There were a lot of calls into the help desk at Boeing because our people were forgetting their passwords and getting locked out of their accountsor we needed to add or delete accounts,” says Michael Frederick, manager of technology security for Southwest Airlines.

Southwest, with more than 6,000 mechanics, wanted to administer its own user accounts in MyBoeingFleet. “It is easier for SWA employees to remember a single credential, and it is more cost effective for Boeing to not have to provide help desk support for users who are not Boeing employees,” says Frederick. So the two companies established a federated system, whereby authorized Southwest users can access appropriate Boeing resources with the same log-in. The two companies found that the process side of federated identity management can be more complex than the technical side. “Federated comes into play when you’ve got a contractual trust relationship that’s set up between the two organizations ahead of time,” explains Frederick. “We had lawyers negotiate the contractswhat we were going to allow each other to do in the systems, what we were allowed to see and who’s liable for what if something goes wrong.”

All of this is good in certain applications such as portals and extranets, says Phebe Waterfield, security analyst with The Yankee Group. But it won’t do much to relieve the lion’s share of the identity management burden. “Only 10 percent of corporate applications are Web-based. The other 90 percent are legacy,” she says. “So the real identity management problem is still inside the enterprise.”