Today's workers are increasingly mobile and desire access capabilities that allow them to communicate and network from any location and with any application. Indeed, the mandate of the cloud is that applications be accessible securely by any user with proper credentials at any time and from any location.
The challenge for IT management is to provide access to these business capabilities cost-effectively and securely while maintaining the stability and compliance required by today's enterprises. IT must strike a balance between providing secure access to applications across multiple domains in response to rapidly changing business environments that require agility and speed. The expense in dollars, time and expertise to manage today's authentication complexity is overwhelming.
The first example of federation (the portability of identity information across otherwise autonomous security domains) goes back to 1999 when my colleague Darren Platt and I were at Securant Technologies and developed AuthXML. This specification for authentication and authorization information in XML was later used as the foundation for the current security assertion markup language (SAML) standard. SAML is used for exchanging authentication and authorization information between security domains and has become the definitive standard for web single sign-on (SSO) solutions.
Originally, the goal of federation was to enable autonomy between organizations inside the firewall and across the firewall by providing a loosely coupled way of passing user credentials from one system to another. This effort resulted in a way to implement standards-based SSO solutions across organizations that had a federation infrastructure in place. There are a number of reasons why federation has not taken hold across enterprises.
First, federation is prohibitively expensive for most companies. Additionally, it's hard to measure ROI for SSO solutions, and so most federation projects have had difficulty justifying their cost to senior management.
Second, SAML federation expertise is rare, in part because it is complex to learn and implement.
Lastly, compliance has become a huge issue. Critical capabilities, including access control and auditing, were left out of federation solutions. Without “controls,” federation solutions don't have a place in an enterprise compliance strategy.
However, federation technology is reaching a maturity level where it can be centralized as a utility and achieve its promise to become ubiquitous. But, for federation to reach that state, a network effect must be realized. The idea of “one-to-many” works because as more nodes are connected the entire network benefits. Enterprises then face a simpler task of managing a single connection to a larger network. This is where the common-hub aspect of the cloud really comes into play. SAML is not the only way to federate. You can have federation without SAML. The key is to de-couple the idea of federation from SAML because they are, in fact, distinct.
To achieve this, federation needs to ‘scale down' to smaller organizations that don't have the interest or capability to operate a federation infrastructure. This calls for practical federation approaches, like delegated authentication using LDAP call-backs that cheaply and simply extend existing infrastructure without additional complex infrastructure.
The cloud and compliance are not going away, so enterprises must deal with the issues of identity as a cross-organization and cross-firewall problem. Federation must be simplified and re-engineered starting with clear business drivers and justification. Ubiquity will deliver the promise of Federation 2.0.
