Tuesday, March 18

Governance of Distributed Federation Systems

I received a very interesting query a few days ago that I've been thinking about, but I don't have an answer. I wonder if any of you have the answer?

B. is concerned (and rightfully so) that nobody is thinking about audit issues related to federated IdM. He asks:
Are there any standards, or is there any organization that does audits of "federated" IdM systems. [We] are rushing into deploying a federated IdM, built around Shibboleth. I am concerned that very few institutions have done internal identity audits, and nobody is thinking about issues related to federated IdM.
Is this an area for concern? Even if the technology is solid, how do you confirm that it's implemented correctly? Are there organizations that will put a meaningful stamp of approval on individual implementations? Across organizations?

1 comment:

Paul Madsen said...

B should look at the Liberty Identity Assurance Framework