BT is experimenting with a federated identity management system that
could be rollled out to its eight million internet users and corporate
customers. A commercial version would allow users to identify themselves
for websites and applications and other users to access data, do work
and transact business, said Robert Temple, BT's chief security architect.
Using CA's Siteminder software, BT is giving internal staff web access
to applications such as Peoplesoft, Siebel, Oracle Financials, Citrix,
an XML gateway, and a voice-verification system from Persay. Temple said
the company's intention is to provide managed user identity as a "common
capability" of the kind relatively common in IT but rare in
telecommunications. Temple said BT runs 32 discrete different networks.
As a result it has too many Radius identity authentication servers.
Learning how to consolidate how it manages user identities on all these
networks is the only way it would be possible to extend similar
safeguards to BT customers, he said. It has opted to use the Liberty
Alliance's Security Assertion Markup Language (SAML) 2.0 standard for
federated identity management. However, it has proved hard to find
external contractors willing and able to help BT as most were familiar
with earlier versions of SAML. Temple noted that relationships between
BT and organisations sharing its federated IDs were plagued by lawyers
and contracts. "In the end, we asked the lawyers politely to get out of
the way as we knew what we were doing," he said. Temple said this was
not to minimise the legal issues, which required partners to spend a
lot of time building trust in each other. These lessons would help to
reduce the learning curve for user organisations when the time came for
them to make more use of the web for business applications...