One of the issues raised at last week's Burton Catalyst conference was the inability of current federation systems to rapidly scale. Mike Neuenschwander gave a presentation where he posed the question "How does an organization connect 70,000 partners in a year?". His line of reasoning was "If adding users requires more admins, itís broke." This blog will agree in some respects with Mike's position and respectfully disagree in others. I will end by proposing new ways of doing federation models that can scale rapidly.
What are the main components of a federation model?:
* Contractual relationship
* Identity management for the partners
* Testing environment
* Operational monitoring to provide and enforce SLA's and OLA's
* Identity management for the enterprise offering the federation
Let's look in detail at each component.
This, in my own personal opinion, is one of the largest hurdles in creating a federation. There are many factors that enterprises must agree to including things like:
Technical - Federation standards, communications security, certification, authentication used, and identity attributes
Risk and Liability Limits
(for more information please read a paper I wrote on this last year "Creating a Federated Authentication Trust")
For many business partners who are much smaller than the enterprise offering the federation service, the contract may be readily agreed to without much thought to the consequences if something goes wrong. Small businesses will agree because they want to do business with the larger enterprise. However, medium and larger businesses may take time in agreeing to the contract and possibly want to negotiate on certain items where they feel the risk is too high for them.
Identity Management for the Partners
Most small and even many medium sized enterprises don't have identity management systems. This poses a distinct problem in federating with a large enterprise who does. Without this, the federation service won't work. In my mind, the next biggest challenge after quickly getting agreement on the contract is trying to get small and medium sized enterprises to implement some form of identity management system which can then provision the identities and establish a federated trust relationship.
This too can be a big problem in creating rapid federations. Often there may be a significant time lag in getting a partner to agree to the federation and then to get them to test the federation environment. Often times, there may also be a booking factor in getting time to test in the test environment.
Most small and medium sized businesses who are federating with a large partner are at the mercy of the large partner's monitoring systems, since they don't have sophisticated monitoring on their side of the connection. As a result, they are contractually obliged to the monitoring data coming from the large federation.
Identity management for the federation
The large enterprise running the federation usually has good to excellent identity management systems in place. A requirement is that they are able to offer, or capable of offering multiple federation protocols as these develop.
Taking into account all of the above, how can we design a federated trust model that scales rapidly with little human involvement?
In my mind there are two main groups of partners. Small ones who lack infrastructure and contractual knowledge and medium to large ones who have infrastructure and contractual knowledge. Let's examine innovative solutions for the small enterprises. I'll use an example of a company called Acme Inc who has 50,000 partners it wants to federate with, most of them being small enterprises with little or no identity management systems. In the example I'll use a small business partner "Bob Co" to whom it wants to federate. Bob Co has 50 employees.
Acme doesn't want to spend the time and money helping each of the 45,000 small businesses it wants to partner with establish their identity management systems. However, it needs to assist them in some way or Acme can't realize the benefit of the federated model. As a result, Acme decided to out-source this problem to enterprises who offer innovative identity management solutions. Here's the business process they design for Bob Co.
Bob Co is sent an email outlining the benefit of federating with Acme. As well, Acme sales reps and the Acme call center are also given scripts to use in discussions with Bob Co.
Bob Co's CEO decides it is in his own business interest to pursue this with Acme since he wants their business. He then clicks on a link to Acme's partner website. There he finds numerous online materials describing different parts of the federation trust model. Unfortunately, Bob Co's CEO doesn't read these. Instead he immediately clicks on the "Let's Get Started Link".
He is then presented with a online form. After entering in his company information, the form then checks the Acme partner database and calls up the information about Bob Co. After agreeing that this is his company, the form then changes. It now asks Bob Co's CEO a starting question:
"Does your company have an identity management system?"
Since Bob Co's CEO doesn't even know what an identity management system is, he clicks on a button "Explain to me what this means". He is then given a quick two minute tutorial on what an identity management system is. After returning to the main screen, he then clicks "No" as the answer to the question.
The screen then changes. It now asks him if he is running a Window's network? If so, it then asks him what version of software (e.g. NT, XP, Win 2000, Vista). Since Bob isn't sure he saves the form and then goes to get his answer.
He returns and then enters NT. At this point the screen then connects him to a choice of outsourced identity management providers. These use a combination of outsourced identity management tools that Bob Co can use. Their pricing is by the number of users. Therefore, Bob Co's CEO has a choice of options for as little as 10-20$ month that will start him off with a manual identity entry and also provide him with the outsourced authentication and federation trust management. Bob Co's CEO can click on a link and immediately talk to the outsourced provider's staff who can step him through the questions.
Note that if Bob Co already had an AD directory or an existing database of identities (like payroll), the outsourced identity management provider might try and use a virtual directory to tie to the identities.
The main point I am making is that Acme has outsourced the identity management problem to a new type of enterprise offering innovating solutions, at low cost, to small and medium sized enterprises. For a very low cost, Bob Co can manually enter in their employees online, have this automatically placed in a directory, authenticate to the directory and have it automatically take care of the federation trust. Further, the outsourced provider can also use monitoring tools to ensure that the SLA's and OLA's are met in the contractual agreement that Bob Co is signing with Acme. Bob Co doesn't have to know anything about identity management. They just consume the services.
Note: This new type of enterprise service offering is just beginning. It doesn't exist yet in most countries since the demand hasn't been there. I believe that if Acme and other like minded large enterprises want this as a requirement to do federation that this type of service offering will quickly grow.
When Bob Co's CEO has completed the identity management question on the form, he is now provided with the contract and a click here to agree to it. If he has any questions about the contract, he can click on the "Contract Questions" link. This will take him to various online materials about the contract and answers to specific questions about each component of the contract.
If Bob Co's CEO doesn't like the contract, he can then click on a button indicating he won't sign the contract. Now he is routed to the Acme Federation Team's legal experts to have more discussions.
Assuming that Bob Co's CEO accepts the contract he can now move to testing. Since he is small and is using one of the identity management outsourcers, he doesn't have to test since the outsourcer already has tested against the Acme interface. In this case, Bob Co's CEO proceeds on in the form.
He clicks a button agreeing to all terms and conditions and is immediately activated with Acme for federation. He logs on to his outsourced identity service and clicks on an Acme link on his web page. He is immediately federated with Acme.
Medium to large enterprises
These enterprises start by using the same form that Bob Co used. However, when they indicate their enterprise name and say that they have an identity management system, the form changes. Now they are asked many specific questions about their identity systems. If at any time they are confused, they can click on a "Identity Assistance" button. This will take them to online resources explaining what the questions mean (e.g. identity attributes, authentication strength, etc.). If they are still confused, they can click on a button "Live Assistance"). This will take them to an Acme call center. There the person will either use text and or voice to assist the enterprise with their questions. Any questions which the call center can't answer are then referred to the Acme Federation Trust team.
When the federation partner agrees that they can complete the identity management system requirements, their online form then asks them to approve the contract. As with Bob Co, the enterprise can review the contract and click on buttons explaining different parts of the contract. If they have trouble in coming to agreement with the contract, they will click on a button and be referred to an Acme Federation legal expert. On the other hand, if they click that they will accept the contract, then they will be taken to the testing section of the form.
Here the form provides the federation partner with test tools that can be done offline to speed up the process. As well, Acme also has capacity planning test data available to show the partner that they have done this testing already. By using offline testing, this speeds up the test environment process. As well, they can automatically book times for the test environment. Acme has used virtual environments to create a test environment where the throughput capacity of many clients doing testing can be done quickly and inexpensively.
When the partner is ready, they click on a button and they are activated for federation.
The model I have described above is a scalable federation trust model. It uses automation and online materials wherever possible to educate and answer questions in advance. However, it also recognizes that there are times where human assistance is required. In these cases, it uses low cost human assistance, like a call centre to answer basic questions. It then uses higher cost assistance, like the Acme Federation Trust team where their expertise is required.
Further, the model outsources those areas where Acme's time and expertise isn't valuable. Thus Bob Co can deal with an outsourcer, either online and/or directly, to establish a low cost, low maintenance, identity management system sufficient to allow them to federate with Acme. The outsourcer service will range from a bare bone, manual identity entry system, to the use of virtual directories tied into the partners' databases and directories.
Acme also uses innovative test tools and environments to quickly process partners through the system. Many small partners will skip this test as the outsources have already tested the Acme federation environment. Where medium to large enterprises want to do their testing, Acme offers tools to do testing offline and also made a large number of test environments available virtually, which are bookable online, to keep the throughput high.
Mike's presentation last week at Burton was good in raising the points about scalability. However I thought it lacked a real world implementation perspective. Most of the 70,000 businesses in his question are identity neophytes. Further, they don't want to know that much about it. It is this group that requires new innovative services to provide them with the basic infrastructure, at low cost, to enable them to participate in an identity federation. I believe that it is only by outsourcing the problem and turning it into a commercial opportunity that the scalability can be acheived.