Conor Cahill of Intel lays out the case for why businesses should adopt federation now for consumer facing applications. Conor makes the point that most federation deployments today are internal enterprise federations where the same business entity is both the IdP and the SP.
While I completely agree with arguments Conor makes, I don’t feel he is making the right ones. He does a good job of pointing out why consumer facing applications should be federation enabled from a security standpoint but doesn’t address why this is a good thing from a business standpoint. While everyone agrees that better security is better business in theory, in reality it isn’t that simple.
The main problem is that in federation it takes two to Tango. Let’s look at the LinkedIn example Conor gives. From a security standpoint everyone agrees that giving your user ID and password to LinkedIn so it can screen scrape your GMail account is a really bad idea. But to set up a federated relationship between LinkedIn and Google would take some amount of time and money on Google’s part. What does Google get out of it? For that matter what would LinkedIn really get out of it? Would establishing such a federation gain them any significant increase in users?
What is needed to move federation forward for consumer applications are compelling business cases, not security ones. Companies will buy technology that increases security, given the proper pricing model. But selling federation is not about selling technology, it is about selling a partnership. That has to come with a real business benefit.