James McGovern asked me some questions about identity. Here are some answers:
James: If I work for a premier outsourcing firm and I have been asked to develop a software architecture document describing how identity should work and be consumed within an enterprise application I am thinking about, what should this document look like?
That's a question with a long answer. The short answer is "read chapters 13-20 of my book. There are multiple parts, including a data model, a process model, an interoperability framework, a policy set, and multiple reference architectures.
Taking the above question, one step further how should they describe the notion of entitlements?
I believe that entitlements should be managed by information owners or custodians and that the architecture should allow for that. Further the number of entitlements has to be limited to certain classes of data.
In a federation that actually consumes identity of an outside party, the possibility exists for conflicts. For example, let's say that I wanted to have E&Y employees audit our books for one part of the company and them also consult on changing the general ledger. Ignoring for a moment that this is against the law (in most cases for public firms) who has the responsibility in terms of an identity ecosystem for handling the notion of a Chinese Wall?
Federation should extend to authentication, not authorization. Thus while E&Y would be responsible in the above scenario for saying who was an E&Y employee and authenticating them, the host company would be responsible for ascertaining who had access to what.
InfoWorld does a great job of covering all the wonderful vendors in this space and all of the wonderful products that are available for sale but readers don't know which Fortune enterprise has the most mature thinking and/or implementation in this space. What would it take for this to be an upcoming InfoWorld article?
I just finished a feature story on federated identity governance that focuses on what real companies are doing to solve their federated governance problems. That might have some of what you're after.