Back to the Future (of Federation)
I recently developed a “history of federated identity” diagram and marveled at how it was similar, in many ways, to slides I created while working at Burton Group in 2004. Let’s take a look at a few diagrams and see what we can learn about how federation has evolved – and about the nature of technology forecasts in general. And then my next post in this thread will take us forward to the future.
Federated identity is a reaction to the plethora of login accounts that people have had on the Internet and even within a typical (large) employer organization. Standards such as the Security Assertions Markup Language (SAML) and OpenID Connect have been created to “federate” a login and/or identity attributes and entitlements across multiple sites, applications or domains for the convenience of users and the relying party (RP) organizations that receive assertions, claims or tokens from the user’s identity provider (IDP) vouching or proving that the user is logged in with the IDP and of good standing.
With that quick primer behind us, behold my current (draft and subject to change) History of Federated Identity slideshare diagram.
Pair Wise Federations
So – federated identity became the “wave of the future” in the early 2000s. At Burton Group, we nurtured the development of SAML 1.0 to make it possible for the web access management (WAM) vendors of the time such as IBM, Netegrity and Oblix to provide interoperable web single sign on (SSO). Early uptake of pair-wise SAML federations began with companies such as Boeing, Fidelity Investments, Nationwide Insurance, Sun Microsystems and some of their business partners. It was an exciting time. Around 2004 I created a presentation with a “waves of federation” slide. Now almost 10 years old, that second slide in the slideshare is remarkably similar to first (current) one, except that it forecast “dynamic communities” in “2008 and beyond” in the third stage. This is a classic example of how even an industry analyst can sometimes wax overly optimistic. Our CEO Jamie Lewis and my other colleagues had gently mocked the “dynamic federation” concept in an earlier version of the slide and they were right at least through 2010.
Shibboleth, a higher education open source variation on SAML, pointed the way to the future by enabling the development of the InCommon federation across academic and library communities. Soon, other industry, or community federations arose including the National Institutes of Health’s (NIH’s) coupling parts of government with academia’s InCommon, Nordic Where are You From (WAYF), Danish NemLog, NaviMedix and Aetna (healthcare), Covisint (automotive supply chain) and others. But not all efforts at industry federation were successful; see Mary Landau and Tyler Moore’s “Economic Tussles in Federated Identity Management” for a good study of how the balance of incentives between IDPs and RPs can influence outcomes.
In the U.S. government space, X.509 certificate-based federations were established enabling any user with a Common Access Card or Personal Identity Verification (PIV) card to authenticate across government facilities. But smartcard based efforts, including most national id card initiatives across the world came with high costs, schedule delays and application integration issues. They continue to be confined to higher level of assurance (LOA) use cases.
Most progress in the enterprise space was made with SAML 2.0 which converged a number of earlier efforts such as SAML 1.x, Shibboleth and Liberty Alliance as well as interoperating with other standards. By the late 2000s, SAML 2.0 was working quite well but there remained significant challenges with trust and legal contract establishment. My colleague Michael Neuenschwander wrote an excellent paper titled “Federation’s Future in the Balance: Teetering Between Mediocrity and Ubiquity.” After speaking with dozens of customers that had actually implemented the technology, Mike found a scaling issue for establishing large federations – in addition to the trust/legal challenge, there remained enough technical complexity to require a small onboarding effort for each new federation partner. Thus, a company with 1,000 partners needing even a week to onboard each partner would be working for 20 years (or need 20 teams working in parallel for 1 year).
My 2004 “waves of federation” diagram got one thing right; it introduced the concept of an “identity network” (such as already seen in the second wave with Covisint, Navimed and other industry federations). Only by building identity networks to handle the expensive onboarding process and get it over with once and for all can broad federations solve Neuenschwander’s scaling problem. This, by the way, was the function of Electronic Data Interchange (EDI) Value Added Networks (VANs) in the pre-Internet days of electronic commerce. And it is one of the functions of a new breed of Identity-as-a-Service (IDaaS) providers such as Intel, Okta, OneLogin, PasswordBank Technologies, Ping Identity and Symplified. Old wine in new bottles.
My 2004 diagram also forecast the rise of “user-centric” federations, which soon emerged with OpenID 1.0 (and LID and SXKP and other now-defunct protocols). Some sort of federation technology needs to be easily accessible to the masses and (the thinking went) address their humanistic privacy concerns.
Fast forward to 2013 and we have several types of broad federations.
- Industry federations that have gotten very large and overlapped boundaries, like NIH and InCommon, they just keep getting bigger
- PIV and national identity card initiatives also getting larger and overlapping with banking, aerospace and other industries
- Enterprises with multiple Software-as-a-Service (SaaS) vendors assisted by IDaaS as the next evolution of supply chain federations
- Enormous e-commerce communities, such as those of Amazon and Ebay
- Social login networks (the biggest of the big)
As I wrote in my reviews of Cloud Identity Summit 2013 keynotes, OpenID 1.0 evolved into a new suite of federated identity standards including OpenID Connect and OAuth 2.0. Huge social login networks from Facebook, Google, Yahoo, Twitter, Linked In and many others worldwide are migrating to the latest versions of these standards. Currently, as shown in the slide the OpenID and OAuth based services occupy the lowest rung of the levels of assurance (LOA) scale.
Back to the Future
Federation still faces major challenges. Even identity networks have scaling limits, and thus as they expand so do their assurance issues; one of latest Internet Draft standards in the OAuth family concerns “dynamic client registration” (dare I say “dynamic federation” again, Jamie.
But I think the biggest challenge for the future will be bridging across identity networks existing at different levels of assurance. The large high assurance federations (like PIV) don’t interoperate well with the fast moving masses of people, devices and applications on the internet. The large social login systems like Facebook Login are not generally trusted at higher LOAs. OAuth 2.0 itself has important assurance issues that I’ve written about.
What people want for “assurance” may change, too. Discussions of assurance have typically focused on how to protect users and organizations from hackers. But today, much of the “digital economy” is advertising-funded which has led to ongoing erosion of privacy and a slow-moving compliance train wreck as national regulations in much of the world clash with the aspirations of the large U.S.-based social networks.