Brigham Young University recognized the need for an identity infrastructure for their web-based initiatives early, and in 1996, they started a project called "Route Y." Over the years, Route Y has come to stand for many things, but from the start, it was about identity. Faculty and students were given unique, University-wide identifiers, and the directory was made available to projects inside and outside of BYU's information technology group. Over the years, as new web-based applications have been added to the campus computer systems, they've all used this common identity directory.

I recently rejoined the Computer Science faculty at Brigham Young University after being away for several years. I immediately noticed that BYU's strategy for building web-based applications had paid off. I sign in once and can do everything from accessing class rolls to turning in grades. I also noticed, however, that the convenience stops at the edge of campus. When I visit BYU's insurance provider or 401K partners, I have to log in again using a separate ID and password.

For all its power, BYU's directory-based identity infrastructure stops at the boundaries of the organization. Even technologies like virtual or metadirectories don't help. Being separate organizations, with different missions, policies, legal requirements, and security domains, BYU and its health insurance provider insist on managing their own directories of employees and customers. Even so, providing ...