No longer confined to just the intranet, today’s worker is increasingly mobile and often armed with the latest technology to communicate and collaborate with coworkers from virtually anywhere. Users desire access capabilities that allow them to communicate, collaborate and network from any location and with any application. Indeed, the mandate of the Cloud is that applications be accessible securely by any user with proper credentials at any time and from any location.
The challenge for IT management is to provide access to these business capabilities cost effectively and securely while maintaining the stability and compliance required by today’s enterprises. IT must strike a balance between providing secure access to multiple applications across multiple domains. Today’s rapidly changing business environments require agility and speed. The expense in dollars, time and expertise to manage today’s authentication complexity is overwhelming.
The first example of federation (the portability of identity information across otherwise autonomous security domains) goes back to 1999 when Securant | ClearTrust developed AuthXML. AuthXML was a specification for authentication and authorization information in XML that later became the core of Security Assertion Markup Language (SAML). SAML is used for exchanging authentication and authorization information between security domains and has become the definitive standard for many web Single Sign-On solutions (SSO).
Originally, the goal of federation was to enable autonomy between organizations inside the firewall and across the firewall by providing a loosely coupled way of passing user credentials from one system to another. This effort resulted in a way to implement standards-based SSO solutions across organizations that had a federation infrastructure in place.
There are a number of reasons why federation has not taken hold across enterprises:
» First, federation is prohibitively expensive for most companies. Federation has been limited to the ‘rich and famous’ Fortune 500 companies with large budgets. Additionally, it’s hard to measure ROI for SSO solutions and so most federation projects have had difficulty justifying their cost to senior management. Countless SAML federation initiatives have been thwarted due to a lack of a strong business case.
» Second, federation is complex. Like PKI before it, SAML federation expertise is rare in part because it is complex to learn and implement. Imagine if your mobile phone network worked the way federation does today. You would have to set up a dedicated infrastructure to call someone and would only be able to call people in your wireless carrier’s network. Obviously, this type of solution simply doesn’t scale.
» Lastly, compliance has become a huge issue from the time federation was originally conceived. Critical capabilities including access control and auditing were left out of federation solutions. Without “controls” federation solutions don’t have a place in an enterprise compliance strategy and organizations must maintain end-to-end compliance for data access.
It takes a long time for a technology to reach the maturity level where it can be centralized in a utility fashion and become ubiquitous. Look at the adoption rates of earlier inventions such as the telephone. Ubiquitous solutions aggregate expertise and infrastructure resulting in economies of scale and lower costs.
For federation to become ubiquitous the network effect must be realized. The idea of “one-to-many” works because as more nodes are connected the entire network benefits. Enterprises then face a much simpler task of managing a single connection to a larger network. This is where the common-hub aspect of the Cloud really comes into play. SAML is not the only way to federate. You can have federation without SAML and many organizations are doing this. The key is to de-couple the idea of federation from SAML because they are distinct.
Federation needs to ‘scale down’ to smaller organizations that don’t have the interest or capability to operate a federation infrastructure. This calls for practical federation approaches like delegated authentication using LDAP call-backs that cheaply and simply extend existing infrastructure without additional software.
The Cloud and compliance are not going away, so enterprises must deal with the issues of identity as a cross-organization and cross-firewall problem. Federation needs to be re-engineered starting with a clear business driver and justification that will be suitable for any size organization.