At first, centralized identity management may sound appealing. However, visions that a centralized approach will promote security, cost savings, or management simplicity are a mirage. Centralized digital identity systems do not scale. Identity relationships are inherently web-like in structure, while centralized technologies like directories are hierarchical. Every individual can have relationships to many other individuals, organizations, applications, and services. Every enterprise must contend with many sets of overlapping and often changing identity relationships.

The primary tenet of centralized identity is the creation of a single, globally unique identifier. Various identities on other systems are then mapped to this global identifier. Mapping those relationships to a single identifier is conceptually simple but difficult to implement.

When I was the CIO for Utah, this problem came up time and time again as we attempted to reconcile various data stores across the state in order to create citizen web applications. There are two primary problems.

First, all of the local identifiers must be converted to a single canonical ID, or a new mapping database must be created. I attended many meetings where people got together to hash out the format for a new identifier, how the mapping would take place, and who would pay for the conversions. Anyone who's gone through a process like this will inwardly groan whenever it's mentioned.

Second, even after ...