DENVER - Speaking at last week's Digital ID World conference, American Express, Fidelity Investments, Boeing, Fifth Third Bank, Premier and a host of other companies shared their hopes, early successes and concerns as they try to integrate their identity management services with business partners and customers.

The goal is the ability to have users authenticate themselves to their local network and then be able to pass that authentication to partners for access to services or data on the partner's network.

The concept, known as federated identity, would ease user management and the associated costs, improve network security, provide a means to document regulatory compliance and fuel e-commerce and Web services that let partners share computing resources.

Early adopters are reporting some of those benefits mainly in combination with business partners with whom they already have a relationship. Those relationships, they say, are the place to start because they reduce the trust and legal issues inherent in sharing user data and exposing corporate systems.

Both those issues are major sticking points to adoption of federation. Users are concerned not only about liabilities in handling sensitive and often private data, but how partners will use or share that information with others through federation, which could expose otherwise confidential data.

"The challenge in federation is the trust model,"says Mike Beach, associate technical fellow in the shared services group at Boeing. "How do we not jeopardize security, and not anger customers."

Standards challenge

Another challenge is standards.

While there is agreement that identity management standards must converge, there is no industry agreement yet on one benchmark. The Security Assertion Markup Language seems to have garnered more acceptance than the Liberty Alliance specifications, although the two will converge in SAML 2.0, which is nearing standardization.

IBM and Microsoft also are developing a competing specification called WS-Federation. While different in approach, both SAML and WS-Federation look to standardize the way companies share user and machine identities among disparate authentication and authorization systems.

Beach says role-based access, in which a user is granted network privileges based on some defined role such as engineer, is another problem area.

"We do role-based access today with about 400 airlines and each one has its own roles. SAML isn't equipped to deal with that," he says.

Fidelity has half a dozen companies and 200,000 people who use SAML-based federation services. Fidelity also does some federation between its internal benefits site and third-party providers and internal federation so users have access to partners.

"Time and effort put into education and legal issues are among our biggest gotchas," said Alex Popowycz, vice president of information security at Fidelity. But he said the technology solves access issues and agreed with other users that federated identity will be the wave of the future.

"The technology is not ready today, but federated identity will eventually become ubiquitous," Beach said.