Federated digital identity can deliver several compelling benefits to organizations. Let's return to the example with which I started the chapter. TIAA-CREF provides 401K benefit management to BYU employees and thousands of other organizations. As we've seen, when I log into the BYU intranet, I gain access only to resources within the BYU firewall. Because BYU and TIAA-CREF do not federate their identity infrastructures, I have to log into the TIAA-CREF site whenever I follow the link from Route Y to TIAA-CREF.

Even if it were practical, TIAA-CREF has no desire to put its proprietary information or user databases inside each of the organizations they serve, and those organizations don't want to turn over their internal user information to an outside vendor. The solution is to federate the identity systems. In that scenario, when I followed the link to the TIAA-CREF page, BYU and TIAA-CREF would automatically and securely exchange identity information. My verified BYU identity would be matched with my customer record at TIAA-CREF, thereby providing direct access without a separate login.

This example suggests how federation takes the benefits of single sign-on and extends them beyond an organization's boundaries. However, there is more to federation than extending a single sign-on. Federation respects the distributed, heterogeneous architecture of the current IT environment. As we've seen, efforts to implement unique, all-encompassing identifiers inevitably ...