Extending Identity

Though federated identity management technologies promise improved access to networks and cost savings, issues of trust and interoperability slow adoption.

The reduced identity administration costs, improved access to cross-organizational applications and better security promised by federated identity management systems are finally beginning to drive corporate interest, say proponents of the technology.

But organizational trust concerns and nagging interoperability problems continue to pose big challenges.

"Identity federation has been talked about for some time, but it is only now that we are really seeing a number of customers showing interest in it," says Jason Lewis, vice president of product management at RSA Security Inc. in Bedford, Mass.

"The main reason why users are looking at federated ID management is to make it easier to do business online for their customers, business partners and their employees," he says.

Identity federation allows users to present a single set of identity and authentication information to access applications and services across multiple domains and distributed, heterogenous networks. A federated system allows a user's identity in one domain to be used to gain access to resources in another domain without the need for separate authentication.

Federated identity projects enable single sign-on to cross-organizational resources, while other identity management systems focus on improving internal access to resources.

One company that's implementing cross-domain authentication is insurance provider Nationwide Financial Services Inc., which recently deployed a federated identity system using technology from RSA Security.

The system lets thousands of Nationwide insurance agents and brokers go to a central portal site where they can access the Columbus, Ohio-based company's applications as well as applications hosted on sites belonging to some of its partners.

Previously, Nationwide's agents needed to create separate accounts and passwords with the third parties to access their applications. The partners, in turn, needed to maintain their own lists of usernames and passwords for Nationwide's agents.

With identity federation, the agents have to authenticate themselves only once on the central Nationwide portal and simply click on the appropriate links to access applications on the partner sites.

RSA's Federated ID Manager technology intercepts an agent's request with his log-in information. It generates an encrypted Security Assertion Markup Language (SAML) message containing the user's identity profile and other authentication information that the partner needs in order to let the user access its applications.

The SAML assertion and the browser session are then directed to the partner's site, where another federation server or agent parses the packaged identity information and uses it to grant access to the application the agent wanted.

Such cross-domain identity assertion can yield multiple benefits, says Daniel Blum, an analyst at Burton Group in Midvale, Utah.

"There are many different use cases for federation in the business-to-business, business-to-employee and business-to-consumer [areas]," Blum says. For example, an organization might federate identities to provide employees with access to benefits information, enable better information access to business partners or deliver more integrated services to consumers.

Federation can also improve security. For example, since identity information is centrally administered and managed, it becomes easier for companies to deprovision access to federated resources when an employee leaves a company or is terminated.

Such benefits have convinced a small but growing number of companies to implement federated identity management systems.

  • Harvard Pilgrim Health Care Inc. is using a federated identity model to present members with claims information from a partner site. The health care organization has deployed technology from Waltham, Mass.-based Netegrity Inc. that allows it to take a member's identity information and assert it on the claims presentation partner's Web site. The ability to deliver such access via a federated portal is a crucial competitive advantage, says Ken Patterson, information security officer at Wellesley, Mass.-based HPHC.
  • For the U.S. Navy, identity federation is a core enabler in a massive ID management project designed to make it easier for over 800,000 ship- and land-based naval personnel to access thousands of scattered applications using a single sign-on. When complete, the system will allow a sailor or marine to use a single, unique Naval Network Identity to access scores of applications and network services. Previously, users had to maintain dozens of usernames and passwords to access these different resources, says Terry Howell, enterprise services lead at the program executive office for the Navy's Command, Control, Communications, Computers and Intelligence project at the Space and Naval Warfare systems center in San Diego. Cupertino, Calif.-based Oblix Inc. is providing the Navy with the federated SAML authentication technology that is needed to assert identities across domains.
  • Southwest Airlines Co. has deployed Oblix's NetPoint access control and ID management technology to broker access to Southwest's external business partners. In one example, Southwest is using the SAML-enabled identity management system to vouch for the identity of employees accessing repair manuals that are hosted on The Boeing Co.'s systems.

Slowly Gaining Traction

Though adoption of the federated model is growing, the number of implementations so far is still relatively small, Blum says. "We estimate there's between 200 to 300 deployments of federated identity today," he says. "The greatest interest is in the financial services sector, with significant interest also in manufacturing, government and telecommunications."

Most of the activity has been in large companies that are using identity federation to link networks with subsidiaries, widely dispersed internal business units and partners with whom they have trusted relationships, says Venkat Raghavan, security manager of IBM's Tivoli Software business unit.

Raghavan sees the growing use of mobile technologies and the attempt by wireless providers to deliver more services to handhelds as another driver of identity federation. Being able to use next-generation mobile devices to pay multiple bills or access peer-to-peer applications will require identity federation to play a big role, he says.

Despite the growing interest, there are several formidable challenges that companies need to consider when thinking about deploying federated identity systems, he says.

The biggest by far is trust, Raghavan says. Partners in a federated system are essentially vouching for the identity of their users and their need to have access to services on another network.

Before a federated system can be set up, many issues must be sorted out relating to the roles, privileges and access rights for individuals on partner networks. There also needs to be a high level of assurance around the procedures and policies that federated partners employ for authenticating users and assigning roles to them.

"There is no warm, fuzzy feeling around the validation of an individual whose account you have no control over," says HPHC's Patterson. "We are dealing with the most sensitive medical information. We want to have the highest level of assurance around the identity of our users," he says.

"It is really difficult to trust a network outside of what you control," says the Navy's Howell. "The negative consequences of an [identity-related security breach] could be quite drastic."

As a result, identity federation works best where the business model is built on interaction between different companies and domains, says Rick Caccia, director of product management at Oblix. When legal and trust processes are already in place, cross-domain user authentication becomes easier to accept, Caccia says.

Interoperability is another key issue, since identity federation involves the exchange of security information across different domains and servers. The most widely used standard for doing this today is SAML. Another standard is the Liberty Alliance Project's Identity Federation Framework. Both standards specify the manner in which organizations package and encrypt the identity information they share with one another.

But different versions of the specifications, and the ways in which vendors of federated identity management products have chosen to implement these standards, can create interoperability problems, Blum says.

Organizations that are embarking on identity federation projects also need to figure out a way to bring partners on board, says RSA's Lewis. Unless you make it as easy and cost-effective as possible, there is little incentive for partners -- especially the smaller ones -- to link into a federated identity system, he says.

At the end of the day, federation just makes cross-organizational access easier, Raghavan says. For example, an employee who previously needed to separately log in and authenticate himself on his 401(k) provider's site might no longer need to do so if he's already logged in on his employer's human resources site.

But federated identity doesn't enable new access where none existed before, Raghavan says. Therefore, it becomes crucial to have a clear understanding of the specific cost, access and security value it can deliver, he says.

Copyright © 2004 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon