All Contents © 2008 Burton Group. All rights reserved.

Current State of Federated Identity

OASIS Open Standards Forum 2008Friday, 3 October 2008

Gerry Gebel

VP & Service Director – IdPS

ggebel@burtongroup.com

www.burtongroup.com

A Few Points to Ponder

State of federation is strong – but the game is changing

Business models are driving up demand for federation technology – and forcing still other changes

Federation and SSO services – an emerging trend to watch

2

After this presentation, you will…

… stop federating

• Because business people don’t know what you are talking about

3

… realize that protocols do not equal a business process

• You need services and capabilities, in addition to protocols and technologies

… discover that the Internet doesn’t need an identity layer

• Rather, it needs a relationship layer!

Business Trends Drive IT Trends

Same as it ever was

• Global economy, cost-effective communications driving fundamental change to the business environment

• The more global things get, the more pressure to decompose big orgs• Need to integrate business process across many boundaries• Must interoperate, connect with security and low friction

4

Business Trends Drive IT Trends

What a difference a year (and a financial crisis) makes

• Do more with less, or do less with less• Plate tectonics: Business transformation, IT transformation collide• SaaS gaining favor . . . the times they are a-changing• Outsource, offshore, buy it as a service

5

Current Technologies and

Methodologies

The Expanding Identity Universe

Dynamics are driving requirements where CIOs have no control

6

Scale Control

Focus

Small

Large

Massive

Centralized

Distributed

Business Individual

SMB, SaaSSMB, SaaS

Consumers, Social Networks

Consumers, Social Networks

Deperimeterization Outsourcing

Deperimeterization Outsourcing

Compliance Privacy

Compliance Privacy

The CIO and the budget

Where does federation fit in here? 7

8

Federation and Distributed Control

Examine the Problem

SSO: internal applications

9

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/Federation

Employees

Contractors

Partners

Examine the Problem

SSO: hosted applications

10

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/Federation

Employees

Contractors

Partners

WAM/Federation WAM/Federation? ?

Examine the Problem

SSO: external users

11

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/Federation

Contractors

Partners

AD/Kerberos?

Examine the Problem

SSO: external users

12

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/Federation

Contractors

Partners

Federation?

Examine the Problem

SSO: employee off site

13

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/FederationEmployees

Contractors

Partners

AD/Kerberos?

Examine the Problem

SSO: employee off site, hosted applications

14

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/FederationEmployees

Contractors

Partners

Federation?

Examine the Problem

SSO: new options

15

Employees

SaaSPartner

Applications

AD/Kerberos

WAM/Federation

Employees

Contractors

Partners

Federation service

Examine the Problem

Why don’t we have SSO?

• Architecture limitations don’t accommodate new application types: Software as a Service

• Product and technology selection process failure• Used RFP checklist instead of usage scenario analysis

• Vendor implementations limit your options• Kerberos exhibits its weakness when external users are involved• Microsoft Office products do not handle HTTP redirects

• New products or technologies may be required• Hosted SSO/federation service is one possibility

• New approaches may be required• Identity intermediaries can limit inherent friction

16

17

Enterprise AD forestLDAP directory services

XML gateways

Federation servers

WAM serversApplications

App servers

Applications

Partner sites

ESSO

SSL VPN

Bulk feed

Examine the Problem

Maybe it is time to look at the business problem, instead of the technology possibilities

Too Much Science, Not Enough Art 18

The “science project”: connectivity is rarely straightforward

Enterprise AD forest

SAML assertion

SA

ML

-en

ab

led

pro

xy

Federation product

AD

FS

ag

en

t

Sh

are

Po

int

200

3

Web SSO token

LDAP directory

ADFS

Collaborator

SIDAttribute and group memberships

1

2

3

4

5

6

798

10

Mapping info and claims

WS-Federation

Web SSO server

Home authentication

19Growth Rates for Federation

Has anyone spotted the elephant in the federation room?

• All right, but what if deployment rate increases?• Assume enterprises can deploy 500 connections per year• One customer has 34,000 point-of-sale operations

• And that’s just for SSO• No authorization• Not hub-to-hub

"How long has THAT been there?"

> 1,000 connections @ 24 connections / year= 42 years!!

= 68 years!!

20The Aesthetics of Ubiquity

Your technology might be mediocre if:

• Adding a connection requires a project manager• Adding a connection requires lab time• Each connection requires a custom contract• You have to coordinate your deployment with others• The solution only works for the latest-and-greatest

infrastructure• Upgrading a server has ripple effects from end-to-end• It seems reasonable to measure

“connections per year”

21

What about that glass ceiling?

Interoperability 22

What if there was a similar program for XACML? Just asking…

Products•BMC•CA•Entrust•Evidian•IBM•Microsoft•Novell•Oracle•Ping Identity•RSA•Siemens•Sun•Symlabs

Edge Federation•Cisco•Forum Sys•IBM•Layer 7•Vordel

Fed Services•Covisint•FuGen Solutions•Symplified•TriCipher•EduServ

Federation Marketplace

Open Source Options 24

Working on that scalability problem… 25

Expanding Federations 26

Federating Federations 27

SaaS Federations 28

SSO+ as a Service 29

Identity Aggregators 30

Single point of integration for all Nordic e-ID systems

Expanding into other regions…

Looking Ahead

What is the impact of:

• User centric identity approaches• Of course, this is in name only• User centric becomes a reality when business models support it

• OpenID• First party identity systems are not very interesting from a business

perspective…

• Information Cards• Unlike OpenID, info cards have a real security model• But the market is not responding

• OSIS, Information Card Foundation, Identity Commons, Higgins, Identity Metasystem Interop TC, etc

• Can someone please explain this to me?

31

In Review

State of federation is strong – but the game is changing

Business models are driving up demand for federation technology – and forcing still other changes

Federation and SSO services – an emerging trend to watch

32

33Current State of Federated Identity

References

• Burton Group’s Identity and Privacy Strategies• In Search of the Internet Identity System: Contrasting the Federation

Approaches of SAML, WS-SX, and OpenID• Federation’s Future in the Balance: Teetering Between Ubiquity and

Mediocrity• Business and Legal issues in Federations• A Relationship Layer for the Web… and Enterprises, Too

34Current State of Federation Technology

References

• Burton Group’s Identity and Privacy Strategies• In Search of the Internet Identity System: Contrasting the Federation

Approaches of SAML, WS-SX, and OpenID• Federation’s Future in the Balance: Teetering Between Ubiquity and

Mediocrity• Business and Legal issues in Federations• Information Card Landscape• A Relationship Layer for the Web… And Enterprises, Too