As an entrepreneur who’s been slogging it away in the trenches of identity and federation going on 6 years (yea, I’m feeling a bit old lately), it’s nice to have a few big wins every now and then. This one’s big for us.
Boeing Pioneers Federated Identity Management with Partners
May 10, 2006 (Computerworld) — “We are at the beginning of a very big thing,” says Mike Beach, associate technical fellow at The Boeing Co. “We are on the edge of a huge uptake of this idea of federated identity over the Internet, and in coming years that will be the way people do business.”
The reason, he says, is expense control. The concept of federated identity basically is single sign-on at the browser level, not just for a few applications inside a company but between organizations. If a person is authenticated by his employer, under a federated identity model that authentication is accepted automatically by business partners with which that company has federated agreements, allowing that employee to access information at those other entities to which he has access privileges without having to reauthenticate himself.
Specifically, it means that Boeing’s 150,000 employees and 40,000 retirees can log onto Boeing’s network once and then access benefits information at any of the several financial institutions involved without having to log on to those companies’ networks or applications. And mechanics at Southwest Airlines, which piloted federated identity with Boeing, can access the latest maintenance manuals, bulletins and other information on Boeing aircraft without having to enter passwords or other identification information on Boeing’s portal. Instead, the individual’s identification comes embedded in each transaction using the Security Assertion Markup Language (SAML) standard, part of the XML standard set.
This provides three key benefits. For the user, it makes accessing specific information to which he is authorized on multiple private networks as transparent as accessing public Web pages on the Internet. Actually, most of these transactions travel over the Internet between corporate networks in encrypted form. But the key business driver is that it eliminates the need to manage intermediary passwords, which is estimated to be as high as $500 to $1,000 per user per month. It also simplifies and improves security for the service provider, which no longer needs to track changes in status of people in partnered organizations. So if a mechanic at Southwest Airlines, for instance, leaves the company, Boeing does not need to be informed. As soon as the former employee’s access to Southwest’s network is revoked, he can no longer access Boeing’s information.
Boeing and Southwest Airlines have been pioneering their federated connection for three years, while several business, legal and technical issues were worked out. “For the last couple of years, industry in general has been wrestling with the legal and business implications of federation, the liability issues, and who owns what,” says Beach, “And there were issues with competing standards in the industry. So we were in a holding pattern.”
As those were worked out, Boeing ran into a practical problem. “As we established new agreements with our benefits providers, we added a clause specifying that they would provide a SAML-based federated identity connection,” Beach said. “Many said, ‘Sure, we will be happy to do that.’ Then frequently Boeing would get a call from the provider’s security people asking, ‘Just what is SAML, and how do we set up federated identity?'”
Obviously Boeing’s business partners needed to be educated. Rather than take that on itself, Boeing contracted with Ping Identity Corp. in Denver, a network consulting and software company specializing in federated identity management, to write a manual and educational material covering all the information Boeing’s partners need to set up their end of the federated identification connection and to provide educational and technical support as needed.Then just as Boeing’s identity management seemed cleared for takeoff, it ran into another snag. The SAML standard was evolving rapidly toward Version 2.0, which will incorporate both of the competing standards. But the software that Boeing was using had not been extended past Version 1.0. Once again Boeing turned to Ping, whose federated identity management solution supports all published versions of SAML.
“Since late last year we have added a half dozen connections with different companies,” Beach says. “We have about 10 customers that are in the process of putting the federated linkage together, and I hear we have talked with more than 20 others. Obviously in the future this is the way business will work.”