Friday, May 02, 2008

A case for Identity Federation for the Enterprise

When it comes to identity management enterprises today tend to only care about user provisioning, compliance and (worst of all) single-sign-on.

Identity Federation - like Liberty - is usually not really considered. And I neglected it, too, since customers were not really interested in it, or asking for it.

However, there is a good use-case for federated identities across within enterprises... I choose to say "within" because the case I'm about to make is when the user should not see enterprise borders:

Consider an outsourced process - like HR in our case at Sun - where your employees have to access an application that is outsourced as well. People then have to sign on to computers that are not being operated by you (your IT).

Big deal... those application can easily access my directory (LDAP or AD)... so why should I need identity federation there?
And you might even trust those external application to securely access your directory this way.

But you don't want your users to enter their corporate userid and password at any remote site - even if you trust that company.

If you do, you open up big potential for fishing... By using federation you keep the input mask for your userids and password within your IT, operated by your staff, transported only over your network. There is no chance that the password can get intercepted... or at least the risk is not higher than within your own network.
That's the point.

No comments: