***Editor's Note: If you like this topic, make sure you sign-up for the ebizQ webinar, Threatscape 2008, that'll dig into depth what threats to expect in 2008 and how to effectively combat them.

On the business side, collaborating with partner companies to provide customers and employees with products and services is a top priority that promises to increase revenue, customer loyalty, and competitive advantage. But for IT, the growth in these multi-party relationships and delivery as Web services poses vexing issues on how to manage user identities.

How can partnering organizations verify the digital identities of thousands or even millions of individuals across an extended enterprise of disparate partner domains while providing users with single sign-on (SSO)? How can IT protect access to applications and information and secure Web services delivery? How can multiple IT systems authenticate and authorize the identity of, for instance, a wireless phone customer or a stock trader?

The answer is identity federation -- the technologies and standards that allow partnering organizations to securely share digital identities across multiple domains. Identity federation provides an auditable framework by which an organization accepts that external users have been authenticated by a trusted partner, and enables SSO across partner sites.

While many companies are beginning to use Web services security to secure federated transactions, others continue to rely on point-to-point solutions that can be overly complex and fall short of the higher levels of identity-based security possible with federation. For instance, secure socket layer (SSL) security provides no identity capture, no auditing capabilities, no means of enforcement, nothing to prove what happened in a Web services transaction. Those capabilities are built into leading identity federation solutions.

The Journey from SSO to SOA
The concept of identity federation has been around for several years. Initially, the focus was on developing common standards that would enable partnering organizations to securely share identity data. Because every company that does business with companies beyond its confines must grapple with how to manage identity across boundaries, identity federation is increasingly a hot topic for both IT and business. Its role in this essential challenge has unfolded in three stages.

Stage 1: Internal SSO: the precursor to federated identity was for internal SSO -- enabling employees to log in to multiple applications, within a single security domain, with a single user name and password. This stage focused on solving the most basic SSO problem, but securing identity has grown more complex. Today, the need for federated SSO to secure identity is growing organically within the enterprise as more employees turn to consumer-oriented Web applications, such as Google Calendar, Facebook, and WordPress as an alternative or complement to internal applications.

Stage 2: Extranet-facing. The demand for federation at the extranet level is not only being driven by the opportunity to reduce costs through outsourcing but also by companies' ability to leverage federation to extend customer-facing services and grow revenue. Federation offers a compelling way to securely make other companies' resources available to the enterprise securely -- and vice-versa.

Stage 3: Web services security. Attention is shifting to the challenge of ensuring that Web services delivered by organizations are secure. This can be achieved by tying identity federation to the process of authenticating users for access to Web services. In this scenario, access to Web services is secured with a federation-driven identity management solution within a service-oriented architecture (SOA).

With a standards-based identity federation solution, organizations don't have to build security into every application that's developed and delivered as a Web service. This is crucial to being able to scale to secure the millions of transactions that typify many services-centric Web sites today, especially in transaction-driven industries such as financial services and telecommunications.

With the maturity of such standards as SAML (Security Assertion Markup Language), WS-Federation, WS-Security, and WS-Trust, identity federation is moving out of the ivory tower and into the real world of standards-based services delivery. Yet even as adoption grows, certain myths around identity federation persist:

Myth #1: Federation takes too long to implement. It doesn't. In most cases, an end-to-end solution can be implemented in 90 days or less. Most of that time is usually in architectural design and planning, with the actual deployment in a matter of weeks or days.

Myth #2: Federation is expensive and requires large investment. The short timeframe for implementation helps make an identity federation solution very affordable, and once in place, it is a scalable and repeatable solution that helps drive revenue while decreasing operational costs.

Myth #3: Federation requires an existing access management infrastructure. It doesn't. A good federation solution is architecturally agnostic and should not require an organization to change its existing identity infrastructure.

Myth #4: Federation, Web services security, and access management require standalone products that need to be licensed and deployed separately. Not true. Solutions now are completely self-contained and can cover federation, access management, and Web services security in a single product.

What's Next: Federation in an SOA
Identity federation is a topic of intense interest these days, as more and more companies look for a foundation that enables secure, efficient, and cost-effective online collaboration among multiple partners. The wealth of possibilities that it offers for securely delivering services and sharing information across organizations is increasingly well recognized.

At the same time, companies want to transition away from costly point-to-point connections between entities and applications. With an SOA and its component-based model, constructing secure frameworks for federation is becoming easier than ever.