Architecting enterprise for federated identity

InfoCard is the way to go. The concept is very well engineered. It is commonly accepted by various influentials of the IT industry, and some other industries (think of showbiz); it has a number of open-source implementations, as well as Microsoft one (known as Windows CardSpace); and Kim Cameron is a legend. The missing layer of the Internet – the identity – is now found.

So where are the adopters?

Today, there aren’t any of importance (measured by monetary value). The reason is the enterprises, and their ways of architecting their systems. There are two issues – actually, two sides of the same problem:

  • Enterprises are designing their identity management systems and applications assuming they will be in full control of the client identity; and

  • Application service providers are not ready to accept identity assertions issued by other parties – instead, they issue their own, sometimes providing limited delegation.

When talking about the application service providers (commonly referred to as just ASPs), I don’t mean it in the pure dot-com sense. Taking into account various B2B scenarios, there are much more ASPs than most of you think – in reality, most enterprises provide access to their applications to other parties.

And we have a problem right there. If I’m an organisation that is using a 3rd-party application for my staff and customers, I still need to be in control of their access to the application. If I give access to a 3rd-party, I want a way that allows that party to manage their access the way they do that, and I don’t want to carry the burden of co-managing and supporting access control for other organisations. InfoCard solves the problem. Enterprise applications and identity management systems should be designed for the Identity Metasystem.

They aren’t yet. Enterprise architects must adopt the new paradigm, ditch few utopian concepts (i.e., single customer view) in process, and actively confront empire building and control freakdom that plague enterprises today. The outcome is worth it. Think of simplified B2B relationships and acquisitions. Think of new ways of doing outsourcing.

Support from big names is needed. Big business looks at Oracle and SAP to make the first step and make their products (and, not less important, hosted solution offerings) compatible with InfoCard. Microsoft has to walk the talk and start offering support in the server and business software (I’ll be looking at the Intelligent Application Gateway and Hosted Messaging and Collaboration and CRM solutions). And those offering identity management solutions – Microsoft, IBM, Sun, BMC – should also provide support.

But for now we have a catch 22 situation – everybody’s waiting for everybody else. Well, Microsoft is in front again, but that’s clearly not enough. Alternatives to the Identity Metasystem look solid – just like SNA looked good compared to TCP/IP some 25 years ago (scalable, secure and supporting QoS – yet mainframe is required). Alas, you’ll be making a mistake if your solution isn’t compatible with the Identity Metasystem today.

3 thoughts on “Architecting enterprise for federated identity”

  1. I’ve just completed a project where the client provides applications to their partners via Citrix Presentation Server. To do this they provide those users with a username and password (who promptly write them down and stick them to their keyboards). They won’t entertain any sort of federated trust – which surely would reduce support costs. So they have to stick with a method of authentication that requires them to remove rights from the user accounts rather than only grant them the rights they require. It baffles me how people in these companies can call themselves security experts.

  2. The most interesting CardSpace adopter that I’ve read about is Corillian – one of the larger Internet Banking vendors in US (who were acquired recently).

    In the B2B type of space I think the Web Services gateway vendors are the main ones that Microsoft should be trying to work with, since this is the key integration approach that most enterprise architects will be focussed on. That’s where you want the CardSpace identity model to plug in …

Leave a Reply

Your email address will not be published. Required fields are marked *