Matt Flynn relays an interesting question about federation. The question essentially boils down to this:
How do we audit federation-enabled access to business services?
What I find interesting is not the question or the answer, but how often the question is asked. A few years ago I made the utterly wrong prediction that this would be a big issue by now. With all the attention being paid to compliance in the IdM space over the past few years, there are several explanations as to why this issue is hardly ever discussed:
1) Few businesses are really using federation to enable access to important services to their business partners.
2) Of those that are many are using a federation service provider such as Covisint. Covisint supplies auditing tools and services to address this need.
3) In some cases federation has been added after the fact to an existing partnership where access was granted via provisioned user IDs and passwords. In this case the service provider likely already has auditing capabilities that are still applicable after the conversion to federation. This was the case with several federation deployments I was involved with at OpenNetwork/BMC.
I had also predicted that this issue, along with the difficulty of establishing the legal agreements needed for federation would drive business partners to federation service providers like Covisint.