September 1st, 2006
Responding to Dana's views on federated identity
Blog note: This is a guest column that comes to us from Andre Durand, CEO of Ping Identity corporation.
I read with frustration a recent article posted by Dana Blankenhorn titled “Too late for federated identity�. Perhaps my reaction was mostly to the title, which assumed to make broad stroke assessments of an industry that is vastly more robust than is given credit.
In the article, Dana puts forth several thoughts in quick succession:
1) single sign-on as a technology has been around for a decade and not taken off (I disagree, adoption is today a several hundred million dollar industry and is being adopted in every vertical and by all sizes of companies. I would agree that the use-cases are today mostly confined to employee-facing (internal enterprise) use-cases, but expect this to bleed over as the technology is expanded to address privacy and the sophisticated 3rd party trust models which will enable federation and SSO at scale).
2) the problem has less to do with technology and more to do with human nature, (while I might generally agree with this statement, in the context provided, I disagree — we didn’t have the right technological approach until federation standards were agreed to, a most recent reality in the time frames quoted. That’s not to say there aren’t still non-technical hurdles to overcome both in federation and in the broader context of internet-scale identity, but a suitable form of interoperable technology has not been available until very recently)
3) users have created their own ways of dealing with the problem (I agree – what choice have end-users had but to improvise their own processes to deal with the complexity forced upon them by multiple accounts? This unfortunate reality however does nothing to preclude a more efficient model from emerging.)
4), he would feel more comfortable if all of the identity and access management source code Sun recently released were instead placed into an Apache project and license instead of placed under the Common Development and Distribution License, otherwise known as the CDDL. (How could I argue with that, more open is better than less, yet a healthy federated identity ecosystem will likely evolve multiple forms of the technology, available by multiple vendors under multiple licensing scenarios.)
While as an entrepreneur in the federated identity market, I would love for things to happen more quickly, in my experience, it takes time to adopt and integrate most new networking technologies, especially infrastructure technologies such as federated identity. On the positive side, networking technologies, once they take hold, are nearly unstoppable. I like to think of them as one-way death marches.
The adoption of federated identity falls into this category, as it’s simply the next natural, required networking of our existing silo’d identity management systems. Choosing to not cross boundaries with security and ease, while perhaps indicative of the world until now, is no longer an option, and Web 2.0 mashups, SaaS, on-demand applications and SOA will only accelerate this trend in both consumer and enterprise settings.
No longer do end-users allow themselves to be confined to a single domain — such was the walled garden approaches of the AOL’s prior to the Internet as we know it. No longer does the enterprise security interest stop at the firewall, as employees regularly roam far beyond a company’s internal access controls in the normal course of every day business. Joint ventures, M&A as well as tighter supply chain integration are all drivers for federated identity, and while we might debate the speed at which adoption will occur or which segments will move first, the alternatives provided for by the status quo (silo’d systems) or centralization are simply not options in many if not most scenarios in the long-term. In short, there is simply no way that the current paradigm can continue to scale, unchanged, to the efficiency required by a global market without the introduction of federated identity. As I think everyone would agree, global centralization, at least within the enterprise market, is simply a non-starter.
As with most networking technologies, initial progress does indeed appear slow, but don’t mistake that for non-progress. Having been involved in the federated identity market since 2002, and having actively participated in it’s evolution for the past 5 years, I’ve come to appreciate and recognize both the barriers and call signs of an industry that is on the cusp of breakout.
To put any technology adoption timetable such as this one in context, one first must recognize we couldn’t have gotten here without an agreement on technology and perhaps more importantly, messaging and protocol standards. Federation is after all, fundamentally a networking technology, and getting vendors and customers alike to agree has not been a trivial effort. Fortunately, this three year effort is now behind us.Â
While SAML and Liberty were incubated around the same time in early 2000 and 2001, it’s only been within the past 18 months that the industry as a whole consolidated around SAML 2.0 and WS-Federation. Furthermore, while standards are a critical component of enabling a technology adoption, customers need more than standards to federate, they need reliable, easy-to-integrate software, and most vendors are some ways yet from achieving this fairly mundane requirement.
 Â
At Ping Identity, our experience with hundreds of global 2000 companies who have invested significantly in identity federation has led us to believe that federation will adopt in three major waves, each roughly 12 to 18 months apart.
The first wave began only this year, and is characterized by the most competitively aggressive companies expanding their security and back-office (employee facing) interactions through federated single sign-on with their tier 1 partners and customers. In the first wave, federation is validated as a viable approach to application, user and security integration, and we typically see companies establishing between 3 and 6 federated connections.
The second wave is simply an expansion of the first, where the number of federated connections (partners) is expanded roughly one order of magnitude. In this phase, companies expand federation from 3 to 6 connections to 30 to 60 connections.Â
Where we believe federation will achieve a tipping point is in the third wave, where single connection users (spokes) turn into hubs, where whole federations begin to inter-connect and cross pollinate and where the end-user use cases become accommodated through technologies such as CardSpace by Microsoft or the OSIS initiative which is building open and interoperable identity systems for end-users.
In the third wave, anyone who has not already federation enabled their infrastructure will be forced to do so by customers, partners and internal use-cases. The shear volume of use cases and integration requirements will force the rest of the non-federated market to move. We’re within 36 months of this taking place.
Of course, we’ve got a few more years here while the trust models, liability shift issues, technology integration issues and use-cases become well established and fully baked, but all the indicators of a healthy market on the rise are there.
