Matt P wonders about the security and reliability of having identity managed as a service. The more I think about IdM as a service, the more I like it. A company might tell you that they are concerned about the security of having their critical IdM systems hosted by (or managed by) someone other than their own trusted "Active Directory guy". But, that same company probably wouldn't think twice about bringing in consultants to help out (who easily have access to plant code, create back doors, enable bad accounts, etc.).
I think most companies are already outsourcing IdM – they just do it on a project basis and therefore have the associated personnel continuity, troubleshooting, and learning curve issues. Not to mention customized hardware and software combinations that nobody has documented or even understands. Wouldn't it be better if the consultants that designed and implemented the IdM solution did it in a repeatable way that is easily understood, managed, and configurable or extensible to adapt to future requirements? And they just continue to manage it taking the burden off of you?
This model also helps with infrastructure reliability due to economies of scale and the value of having a known environment. Yes, the Internet could go down. But, the internal network could go down too. Or the server. Or the database. With a managed solution, someone else will have the economies of scale to ensure a higher up time probability and a quicker response time (if they do it right).
I don't think security or reliability is a good argument against buying into IdM as a service. Data can be encrypted. Admin activity can be monitored. Redundancy can be built-in.
I agree with Matt that "only firms that specialize in the IdM space will be able to be successful hosts." I'd rather see an IdM service company try to move to the SaaS model rather than a SaaS provider try to create an IdM offering. But the complexity, repeatability, and value of IdM seem to make it ripe for a service-based delivery model. What do you think?