Boeing Pioneers Federated Identity Management with Partners

Computerworld -     "We are at the beginning of a very big thing," says Mike Beach, associate technical fellow at The Boeing Co. "We are on the edge of a huge uptake of this idea of federated identity over the Internet, and in coming years that will be the way people do business."

The reason, he says, is expense control. The concept of federated identity basically is single sign-on at the browser level, not just for a few applications inside a company but between organizations. If a person is authenticated by his employer, under a federated identity model that authentication is accepted automatically by business partners with which that company has federated agreements, allowing that employee to access information at those other entities to which he has access privileges without having to reauthenticate himself.

Specifically, it means that Boeing's 150,000 employees and 40,000 retirees can log onto Boeing's network once and then access benefits information at any of the several financial institutions involved without having to log on to those companies' networks or applications. And mechanics at Southwest Airlines, which piloted federated identity with Boeing, can access the latest maintenance manuals, bulletins and other information on Boeing aircraft without having to enter passwords or other identification information on Boeing's portal. Instead, the individual's identification comes embedded in each transaction using the Security Assertion Markup Language (SAML) standard, part of the XML standard set.

This provides three key benefits. For the user, it makes accessing specific information to which he is authorized on multiple private networks as transparent as accessing public Web pages on the Internet. Actually, most of these transactions travel over the Internet between corporate networks in encrypted form. But the key business driver is that it eliminates the need to manage intermediary passwords, which is estimated to be as high as $500 to $1,000 per user per month. It also simplifies and improves security for the service provider, which no longer needs to track changes in status of people in partnered organizations. So if a mechanic at Southwest Airlines, for instance, leaves the company, Boeing does not need to be informed. As soon as the former employee's access to Southwest's network is revoked, he can no longer access Boeing's information.

Boeing and Southwest Airlines have been pioneering their federated connection for three years, while several business, legal and technical issues were worked out. "For the last couple of years, industry in general has been wrestling with the legal and business implications of federation, the liability issues, and who owns what," says Beach, "And there were issues with competing standards in the industry. So we were in a holding pattern."