Federated Identity Management Still Faces Logistic Hurdles

In 2005, advocates of federated identity management were almost giddy when the Organization for the Advancement of Structured Information Standards (OASIS) adopted version 2.0 of the Security Assertion Markup Language (SAML).

Federated ID lets business partners automatically access each other’s networks without requiring piles of passwords. Advocates for the technology said SAML 2.0 would make it easier for companies to form federations because it eased compatibility problems that kept many organizations from deploying the technology.

The Liberty Alliance — a global consortium of vendors and end users working to develop open federated identity standards for Web services — began testing tools that incorporate SAML 2.0 soon after the standard’s adoption, and vendors lined up for the chance to get the alliance’s seal of approval. Around that time, Mike Rothman — then president and principal analyst at Security Incite, now analyst and president at Securosis — wrote a column about the market potential for federated ID, saying that while the technology wasn’t new, the more mature SAML 2.0 standard and the advent of both standalone and integrated federation capabilities within identity-management products made it more feasible for companies to “dip their toes into the federation waters.

Fast forward to 2012. More companies have indeed dipped a toe into those waters. But has the technology finally made it to prime time?

Not really, according to two academic scholars specializing in the economics of information security technology. Many organizations still balk at the liability concerns and lack of economic balance.

In a paper called “Economic Tussles in Federated Identity Management,” authors Susan Landau, a visiting computer science scholar at Harvard University, and Tyler Moore, a visiting assistant professor at Wellesley College, wrote that while some federated ID management systems have experienced modest successincluding Shibboleth in the higher education sector, SAML in the enterprise sector, and the National Institutes of Health’s programthe technology still hasn’t caught on in the broader market.

“In particular, federated identity management has functioned well in sectors in which the parties had first established contracts, but on the open Internet, where the Identity Providers and Service Providers might not previously have had a relationship, federated identity management has experienced slow adoption,” they wrote. “It is widely believed that the inability to solve the liability issue — who would bear the costs when federated systems inappropriately shared information or incorrectly authenticated a user — is at the root of the problem.”

They go on to say that the design of federated identity management systems creates a classic case of an economic tussle.

When the systems have been successful, it has been because both sides enjoyed benefits. In the broader market, that objective is hard to meet.

“Such systems have so far failed to achieve traction when the systems are weighted so that the benefits largely accrue to only one side,” they wrote. “Rather than liability alone, the problem is actually one of maladjustment to the economic tussle. Consequently, if one can readjust the values in those systems so as to provide clear — and relatively balanced –benefits to all parties, then the federated system is much more likely to succeed.”