Today, it is common to use your Google, LinkedIn, or Facebook identity to log into a website. However, in the first generation of the commercial Internet, this was not the standard experience. Virtually every internet service required users to create an account with a username and password. For services that were only used occasionally, having to create this account and remember all the associated passwords often created friction for new users.\nThe invention of federated identity for the consumer Internet\nI worked for Sun Microsystems in the early 2000s and was fortunate enough to be the technical lead for a new concept called federated identity, which presented a way for separate online entities to share identity across any number of websites. In order to build it, Sun formed the Liberty Alliance, a consortium of large companies from a variety of sectors, ranging from telecom to travel to banking.\nWith federated identity, we separated two important concepts:\n\nLogging into a website\nUsing a service from a website\n\nUsing a standard protocol, a user could, for example, log into Aol.com and then go rent a car from Hertz.com without having to log into their Hertz account. Federated identity allowed distinct websites to enter a business relationship with each other. Using a standard protocol, a website, such as Aol.com, could operate as an identity provider where users had an account with login credentials, while another website, such as Hertz.com, could operate as a service provider where users could then rent a car. As a result, users benefitted from simplified access to services using their pre-existing accounts.\nFederated identity was built on a loose trust model, which placed a firewall between users\u2019 account information and their service history across providers. In other words, there was no need for AOL to know anything about your rental car history or for Hertz to know your AOL preferences. With the Liberty Alliance, we created extensions to the protocol that enabled services, such as user information transfer and payment processing, to be exchanged between providers.\nThe adoption of federated identity in the enterprise\nThe protocols of the Liberty Alliance became the basis of SAML 2.0 when they were transferred to the OASIS standards organization. Accelerated by the prevalence of identity servers and identity access managers that supported the SAML standard from vendors, such as Sun, Oracle, and CA, enterprises embraced the SAML 2.0 protocol as a standard way to perform single sign-on (SSO) across enterprise systems.\nHowever, SSO is only the first step for a successful enterprise identity model since, unlike consumer internet and service providers, enterprise systems have a tight trust model. Many enterprise identity and service providers are hosted by the enterprise itself, and external service providers are subject to intense security controls and compliance to ensure that employee data remains secure.\nA direct consequence of federated identity is that all of the data related to an identity is also federated across countless systems. Employee data, for example, is hosted in numerous systems, including payroll, human resources management, and financial and ticketing systems.\nIntroducing consolidated identity for the enterprise\nConsolidated identity is an evolution of federated identity, specifically for the enterprise. In an organization, there is no need for the firewall between the identity provider and the service provider. The enterprise itself is the primary identity provider and the service providers that provide services, such as payroll and time off requests, do not hold any data that should not be accessible to the enterprise.\nIn the enterprise, each employee has data spread across dozens of systems, and unfortunately with federated identity, there is no way for the employee to cross those silos \u2013 the employee has to log into each system and use its interface to access the data they need. That\u2019s where consolidated identity comes in, providing employees with the same simplified access to their business services that federated identity delivers to consumers.\nHere are the five steps to consolidating identity in the enterprise:\n\nDetermine which authentication systems are in use and chain an employee\u2019s identity across those systems. A typical enterprise uses one or more directories, such as Active Directory or LDAP, and enterprise mobility management systems.\nConsolidate the data associated with an employee. While it is considered incredibly difficult to integrate widespread data, it is much more efficient when the use case is narrowed. Typically, it is only necessary to consolidate the \u201cactive data\u201d related to an employee. For example, the requests of the consolidated identity system could be only for open time off requests, rather than every time off request ever made for both active and inactive employees.\nControl how data can be accessed. A consolidated identity framework must also include a copy of the rules for how any cached data can be accessed. Most systems use declarative access rules and groups that can be copied along with data to ensure that data is only viewed by appropriate parties. Combining the rules that control how data is accessed with the data itself is a much more efficient mechanism than using mechanisms like data warehouse slices.\nControl access to functions, such as micro apps, with identity provider and application groups. In a typical enterprise, there are Active Directory groups, such as \u201cManagement\u201d, as well as groups defined within applications like \u201cServiceNow Administrators\u201d. A consolidated identity system needs the capability to validate a user\u2019s membership in an application\u2019s security groups.\nFacilitate writebacks to source systems. This can be performed using an application API with a service account and delegated authentication or a record notation of who performed an action. Another option is to leverage SSO to either deep link into a target application, so a user can perform an action within it, or have the user bounce to an application login page and login via SSO in order to get a user token to pass to an API.\n\nConsolidated identity and the identity graph\nA consolidated identity system evolves federated identity by creating an aggregated store of each employee and their entitlements across both identity providers and applications. This \u201cidentity graph\u201d enables a new wave of applications that are both employee-centered and secure in authentication, authorization, and data governance.