05.10.2006 12:38Tim Cole

?Federation is a one-way street ? there?s no turning back?
What is driving identity federation today? Andre Durand, CEO of Ping Identity, has an answer.
During Digital ID World 2006 at Santa Clara, Alan Durand, CEO of Ping Identity, talked with KCP senior partner Tim Cole about the future of federated SSO and how it feels to be the Switzerland of the identity market.

KCP: Ping isn’t quite as visible in the identity space as a couple of others.

Durand: Those couple of others being…?

KCP: …well, the regular suspects like Sun, Oracle or IBM, I guess.

Durand: That’s alright, it’s understandable.

KCP: I had you plugged as the federation people, but in your presentations you talk a lot about of things and products that I, quite frankly, knew nothing about. So what does Ping really do?

Durand: It all falls under the federation umbrella. Our mission in life was to facilitate identity portability, and our long-term goal is to figure out how to monetize those transactions. Of course we realise that the community ecosystems didn’t yet exist to create transaction services with the industry, so we have to help create them. By definition, we’re an enterprise security software company that provides federation middleware.

KCP: Recently you’ve branched out into adjacent fields, though, haven’t you? For instance you announced products like Ping Login and Ping Trust, which would seem to come either before or after federation takes place.

Durand: Not really – it’s all federation. Ping Trust is federation for Web services. It enables things like SAML assertions being included in web service requests for identity portability in Web services. Ping Login is really kind of a step backwards, because before you can federate you have to authenticate.

KCP: You also have a provisioning product somewhere in the pipeline, don’t you?

Durand: We’re working on that. It won’t be the kind of identity management product you get, say, from Sun or Oracle, which are basically inside provisioning systems within the enterprise tied to some kind of workflow engine that goes out and adds identity to all the applications in your enterprise. We see us playing a role providing federated provisioning where you’re trying to not only do single sign-on with a partner, but you also have to get those accounts set up with your partner before federation can actually happen. We want a lightweight solution that will allow our customers and their partners to basically synchronize their identity information so that they can then take advantage of federated single sign-on.

KCP: So it’s sort of about basic housekeeping?

Durand: Completely! It’s a precursor to federated SSO. Today, this is happening already, but it’s happening in a non-standard way through batch files or e-mails or what have you. You can’t get one-click federation that way, so we feel we have to do something about it.

KCP: How does Ping differentiate itself from the access-management vendors?

Durand: Well obviously we have a fairly pure view of where federation gets deployed internally versus where it is deployed with partners, which is more like process outsourcing. The requirements are quite a bit higher when you start thinking about scaling your out-of-company interaction. Most people think about federation as simply extending the reach of their internal identity management, a kind of feature extension for a centralized identity management and access control system. I believe that in doing so they are missing a big opportunity for federation as a gateway for your external partners to get into your system and for you to get out to your partners. The sophistication of the technology that needs to go into a deployment for external use places the bar a lot higher.

KCP: This would seem to require lots of openness in the system.

Durand: We play equally well with everybody – sort of the Switzerland of identity federation. We’re the one vendor that can truly say that. No matter whether you have or do not have identity management in place, we’re perfectly happy to talk to whatever you currently do have, or we’re happy to talk to your customers. There’s no proprietary price or additional requirement to use our federation. Most of the suite vendors’ systems require employing their own access management systems. If you’re an ISP, for example, and you don’t want to do access management, but you do want to federate, you are effectively being forced to put in a way too heavyweight identity and access management system just so you can enable single sign-on to your customers.

KCP: So what you have to offer is essentially a stand-alone system?

Durand: Yes, you could have a home-grown application, no access management, no provisioning, just a requirement for federated SSL with a partner, just drop us in. No additional requirements.

KCP: Switzerland, with which you like to compare yourself, has historically always been in danger of being gobbled up by their neighbours. Are you a potential take-over candidate, or do you intend to go it alone?

Durand: Going it alone is not smart, but being gobbled up is not necessarily a foregone conclusion. We have plenty of cash to last a fair ways here in this environment. As you may know we’re institutionally backed by five tremendous venture capital firms. Our investment in this space goes beyond what you would call a normal technology best-of-breed point solution that eventually gets to an inflection point and has to get bought by one of the major players. We spend a whole lot of our new investment in R&D, so we have waves of new products coming out behind our lead product. You don’t normally see that in a company that’s just looking to build kind of a one-hit product and then get sold. If you look at Ping Trust or at what we’re doing in the CardSpace server area, that’s a fairly significant future investment that goes beyond just being able to federate. So I guess you could say our goal is not to get aquired. Our goal is to grow an become a big company.

KCP: One of your investors is SAP Ventures. In fact, we see SAP as being greatly in need of some major-league identity and access management solutions. What if they come around one day and make you an offer?

Durand: Historically, they have not paid up for technology, and I don’t know yet that there is the recognition of federation as the independent market opportunity we believe it represents or whether or not they simply view it as a checkmark standard for integration of their existing stuff. If it’s the latter there will be an obvious disconnect in the valuation.

KCP: SAP has a strong relationship with Siemens in the identity space. Do you think that precludes any deeper relationship with Ping?

Durand: Somehow I never seem to come across Siemens…

KCP: Except in the context of SAP.

Durand: I don’t know. However, it was never my aspiration to allow an SAP acquisition on the heels of an SAP investment. It was simply in recognition of the fact that SAP has 30,000 enterprise customers, many of which are legacy and have modern-day requirements for standard-based SSO for their SAP systems. We’re the only best-of-breed gateway that’s truly interoperable with many other identity management systems and that uses standards without a lot of weight, so it was to explore opportunities which would allow them to interoperate with other identity management systems since they don’t have one themselves.

KCP: What do you think SAP’s strategy will be?

Durand: They can either build and embed their own functionality which in SAP terms would call for a fairly long timeframe – something like release .08 or .09. We have an existing SAP integration kit that works with all SAP systems, so they can simply add it, thus showing the market a federation capability on top of SAP.

KCP: The KCP group recently asked companies in Europe when they thought that serious investment in identity federation would start. Almost 80 percent of the respondents said possibly 2008 but probably 2009. So 80 percent are effectively saying it’s not a priority today. Are the Europeans just lagging behind the U.S. again, or is it similar over here?

Durand: I can’t tell you, but what I can tell you is that we are approaching a hundred customers, some of them abroad but most of them here in the U.S., and we typically deal with three out of the top five worldwide companies in every vertical. So it’s the bigger, more aggressive companies that are leading the way.

KCP: Why is that?

Durand: Well, they’re leaders for a reason, right? They’re leaders because they have enough money and wherewithal to invest in competitive new innovation, and identity federation is being viewed as a way to better integrate and to drive more efficiency into the interaction with their partners. And it’s the leaders who are going to do it first. So while I would predict that only the leading three to five percent of the global 2000 market will be active in federation soon, that adds up to a lot of activity because these are not inconsequential companies. It’s Boeing and Coke and Pepsi and Covisint who are all fairly far along in introducing federation for thousands and thousands of identities.

KCP: What is their business argument for introducing identity federation? In other words: How do you get your customer’s CEO to sign the check?

Durand: There are any number of business level justifications, and many of them are use-case specific, at least initially. It begins with perhaps a customer coming to you and saying: “Look, we just implemented a portal and standards such as SAML, and we contract some kind of outsourced business process to you, some application. You’ve got three months to enable single sign-on.” That’s the way it propagates. The business justification here is to keep the customer happy. There are other scenarios where you reverse that. We had one like that at Fidelity Insurance, where the CIO who was simply trying to set up a teleconferencing phone bridge, but his administrator was out of town for a week and he didn’t know the password. Turned out he couldn’t set up a conference call without the administrator. He got so frustrated that he said: “We need single sign-on to that outsourced teleconferencing bridge.” In this case the bridge operator was Cisco, so when somebody like Fidelity calls Cisco and says: “Look guys, you’ve got two months to get single sign-on working”, Cisco just had to respond. So you see what the driver was here, namely user convenience.

KCP: Actually, one user’s convenience.

Durand: [laughs] You’re absolutely right, one pretty important user’s convenience. What we observe is that there are multiple entry points into the federation conversation, and that once two or three seemingly independent data requirements for federation hit the same group of individuals, they start to wake up and say: “Huh, there’s something larger underneath this wave of requirements for single sign-on”. That’s when they really start to research federation at the infrastructure, very horizontal level.

KCP: Is there a typical decision point?

Durand: They start saying: “Okay, this is not just a standards-based tactical fix for that one-off requirement of our customer. This is now a strategic approach to allow my user to get out to my partner in a standardized way and to allow my partner to get into my system. And there’s no turning back – it’s a one-way street. The speed with which they recognize that has everything to do with how they might justify either a small or a large purchase. What we typically see are smaller purchases that are more tactical, department level, one-off to begin with, followed by another one. By the time they get to number three they step back and say: “Okay, now let’s try and federate everything.” So they go from making purchases that are kind of connection based to making an infrastructure-level purchase in federation.

KCP: Is there a gap between the way federation is viewed by technical people and business people within a company.

Durand: No. The term federation might be a technical term that the business people haven’t heard of yet, but single sign-on is something everybody’s heard of. So a simple description that federation is the ability to enable single sign-on between very different entities is not a difficult concept for any of these people to understand. Also, there are a lot of practical examples. In the U.S. lots of companies use salesforce.com and Webex, and all we have to say to them is: “Hey, when you use those services, do you want automated provisioning and deprovisioning and single sign-on?” Almost anyone in the IT department without even hearing the term federation will understand immediately what the value proposition is. You don’t have to mention the word federation to get across. Now, I might need a lot more explanation and education for the business person to understand the strategic competitive implication of making a larger federation push within their company at this moment in time, so I guess we’re still in the early adopter phase.

KCP: In a speech you gave at Digital ID World you made a distinction between federation and user-centric identity. It seems that you draw the line between B2B and B2C scenarios. Assuming that is a correct analysis, which many might dispute, you then went on say that, either way, the infrastructure needs to be robust enough to handle whatever we throw at it. Sounds very pragmatic, doesn’t it?

Durand: The last thing you want is two infrastructures with overlap. You can see how quickly privacy context skips from one to the other in a few of our use cases. It’s on the fly. The guy’s logged into the Intranet through Windows, and a second later he goes out there somewhere where no privacy needs to be enabled. So passive to active federation context switching can happen literally instantaneously. Do you want to have two separate infrastructures to support that? I don’t think so, it doesn’t make sense.

KCP: I had the feeling at Digital ID World that some people are using the term user-centric to describe sort of the next big thing after federation, implying that federation was yesterday. Doesn’t that worry you?

Durand: That’s my point. However, I understand the marketing aspect of it. Its about creating a new category and dominating it and attempting to disconnect it from the prior category. That’s all happening on the marketing front. I just don’t want the technicians and customers to buy into the marketing jargon that’s been fairly self-serving for those that are looking to create a new sandbox to sell from. The reality is that when we’re talking about identity you can’t have a break in the chain. Identity transactions are going to be chained together and most of them either start or end in a business, so you can’t separate the business infrastructure from the consumer infrastructure in terms of the ability to do business with the business. It’s just one big continuum and if we need to add capabilities such as privacy and user mediation in the transaction, then so be it, but that’s not something completely separate.

Seraphinite AcceleratorBannerText_Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.