Web Services and Federated Identity

Sorry for the late blogging, I’ve been at the 2007 Web Services Security Conference and Exposition held near Baltimore MD. I did the keynote presentation at 9:00 AM on identity management strategy. Also, the panel at 1:00 PM also on identity management. No WiFi there…there should be a law. 🙂

Since the advent of Web services, and other distributed computing standards for that matter, we’ve been wrestling with the notion of identity and how to manage it. Truth-be-told identity management has been put on the back burning are organization attempt to get their first Web services projects up-and-running. However, as Web services become more pervasive, this is an issue that is getting more attention.

With the increasing interest in identity management so has risen the need for standards to better define this space. These standards are all aiming at binding together identity management systems within all organization into a unified whole, allowing for everyone to be know to everyone else, securely.

So, why do we need identity management? It’s the fact that Web services are not for internal use anymore, and those who leverage Web services (consumers), or produce Web services (provider), need to know known to each, else we risk invoking malicious or incorrect behavior, which could cost us dearly. This is clearly the case within trading communities that leverage Web services. Many outside organizations are binding to your services and you to theirs, and the potential for disaster increases, unless you know just who you’re dealing with.

Identity is important in the growth of sensitive data and confidential relationships online. Lacking identities there is no way to provide certain users with access to certain resources.

Today, we use managed identities, including different user names, passwords, and other identifying attributes. The same person may have links to many organizations, including frequent flyer sites, banking sites, employee benefit sites, etc.. Perhaps you have a list of user names and passwords in your drawer today.

The number of identities that we have creates a challenge. We’ve all written down user IDs and passwords on sticky notes just to remember them. Moreover, IT organizations find it increasingly difficult to manage the profusion of identity databases, even within their own organization. The problem becomes more of an issue as we extend our reach outside of the firewall, inter-organization. Enter federated identity and potential solution to this problem.

Federated identity, including supporting standards, such as those from OASIS and the Liberty Alliance project are defining mechanisms that organizations may employ to share identity information between domains. While most understand the value of an identity management systems internal to an enterprise, federated identity presents a new set of problems, and an opportunity for solutions.

There are many benefits to employing federated identity solutions including the ability to perform logging and audit functions centrally, reducing costs associated with password reset, and access to many existing heterogeneous application securely.