The RSA Security conference will be held in San Jose, Calif., the week of Feb. 13, and one of the issues to be addressed there will be federated ID management. This story looks at federated ID trends for the coming year.
For Koch Industries, authenticating user identities is no easy task. The Wichita, Kansas.-based enterprise is actually a collection of companies stretched across several industries, including energy, chemical technology, ranching, paper, securities and finances. It has a presence in about 50 countries. Many offices function independently, with their own individual computer networks.
"If we were all part of one big network we would have less of an interest in federated ID," Walker said. "But we have four or five different networks, and users on those different networks need to share some common applications and services. Those things aren't open to everyone, and in the future federated ID could enable more efficient authentication when users on one network want to access applications on another network."
He has reservations, though. Legacy applications that build up on the network over time may not behave properly with federated ID and will have to be tweaked. That would be difficult for a company with "many, many legacy applications," he said. "Until someone comes along to change the legacy apps, it will still ask for a user name and password. They'll have to be rewritten."
But federated ID enthusiasts say that headache is a small price to pay when one considers the technology's benefits. They believe it's the best way to securely authenticate users and prevent online thieves from impersonating others, especially in an age where business is becoming increasingly virtual and decentralized. "With the Internet you need ID portability. That's what federated identity is about. And with the world we're in now, the technology supporting it is a reality--mobile technology, decoupled systems," said Christopher Ceppi, business development director of Ping Identity during a panel discussion on federated ID during last April's InfoSec World confab in Orlando, Fla.
And thanks to the Security Assertion Markup Language (SAML) 2.0, advocates say the technology is quickly headed for mainstream use. SAML 2.0 passed a series of interoperability tests and was approved as a formal standard by the Organization for the Advancement of Structured Information Standards (OASIS) in early 2005. On its Web site (www.oasis-open.org), the organization says SAML 2.0 adds key functions to create and manage federated networks that combine and appropriately share pre-existing repositories of identity information.
"People knew SAML 2.0 was around the corner, so they held back from federating with new clients," Sullivan said. But with the testing that began last July, he said, "the logjam is breaking free." There have been two rounds of testing so far and a third is planned for spring 2006, he said.
"We're moving rapidly now in the direction of the mainstream," he said, adding that a big example is the federation link Fidelity Investments and the Social Security Administration have established.
"This is so the user can federate between those two entities and do a direct deposit of their Social Security check into their Fidelity account," he said. "The simple elegance of the technology makes it so easy for the user to go from one site to another. Companies that can do this--federate with the Social Security Administration--that really gives them a competitive edge."
SAML 2.0 is an important step because different organizations--OASIS and Liberty Alliance, for example--came together to develop the standard for the common good, Sullivan said, adding, "A lot of vendors worked toward the common interest of solving a universal problem: how to facilitate network identity-based transactions. It's about making it as easy as it is with human beings making face-to-face transactions in the real world; doing those transactions in a networked world and knowing that the person you're dealing with is truly the person they say they are."
Vendors whose products have passed the SAML 2.0 smell test so far include RSA Security, The Electronics & Telecommunications Research Institute, Ericsson, IBM, NEC Corp., Novell, Oracle, Reactivity, Sun Microsystems and Trustgenix.
"Every vendor who participates says, 'My customers want me to be here,'" Sullivan said. "It shows the customers want vendors to go through this test before they will be willing to try their product."
And, he said, it shows there's a hunger in the marketplace for federated ID management.