When General Motors Corp.s employee portal forced workers to endure a traffic jam of user names and passwords, the company turned to federated single sign-on to put employees in the drivers seat.
By employing specifications from the Liberty Alliance Project to let workers submit one user name and password to access benefits, GM made access to the portal much easier. The process gave reluctant users a new incentive to use the portal.
The program has succeeded, said John Jackson, GMs director of software technology. “There has been universal sentiment that federated single sign-on at GM will be well-received by our ultimate customers,” Jackson said. “Our human resources group believes that federation provides a high value in employee-facing applications and services—so much that we did not calculate return on investment for this project.”
The Liberty Alliance Project, established in 2001, has more than 150 members. (GM is a founding member.) It focuses on the development and deployment of open, federated network identification specifications.
“General Motors joined Liberty Alliance because we believed it was important for the industry to have some choice in the technology that was used,” Jackson said. “We never believed that a single provider—regardless of whether [it was] the federal government, Microsoft [Corp.] or a large bank—would be able to serve the entire Internet. It was important to us that multiple identity providers exist in the Internet.”
In a 2003 poll conducted by the Liberty Alliance, nearly 60 percent of founders and sponsor-level members said they planned to implement the groups Version 1.1 specification that year. GMs use of alliance specifications to federate its employee portals was among those implementations.
GM is the worlds largest vehicle manufacturer, employing more than 326,000 people worldwide. The Detroit-based company has one of the worlds largest employee portals—MySocrates—serving more than 190,000 hourly and salaried workers in the United States. MySocrates supports more than 32,000 concurrent users and gets more than 3 million hits per hour, Jackson said.
MySocrates offers a single point of access to hundreds of internal GM Web sites. The portal lets employees customize their experience by providing access to personal information such as health care and retirement benefits. GM outsources many of the HR services that employees use—such as its 401(k) program and expense reporting—to third-party providers.
Before GM implemented federated identity, it wasnt easy for employees to get information they needed. When users accessed any of GMs third-party providers via MySocrates, they had to pass through a firewall and authenticate to each third-party service they wanted to access.
IT managers at GM wanted to make access more seamless and efficient for employees, but they understood that many users would be reluctant to use the same profile and password for both their health care provider and their 401(k) provider. By using federation, Jackson concluded, employees could control their own profiles and access levels.
In 2003, the company launched a pilot project that integrated various internal and external systems. The proof-of-concept requirements included validating the ID-FF 1.1 specification and building a model production environment using firewalls and proxies as well as the Internet.
GM, along with Workscape Inc., the Framingham, Mass., company that manages MySocrates, worked with GMs 401(k) provider on the federation project. Because MySocrates was built using Sun Microsystems Inc.s Sun ONE Portal Server, GM and Workscape decided to use Suns Java System Access manager, which supports Liberty Alliances ID-FF specification. Sun is another founding member of the alliance.
The pilot enables users to log on to MySocrates and choose whether to opt in to federated single sign-on. Users who opt in authenticate just once to the portal, then can access their 401(k) information and other data without having to reauthenticate. To provide a seamless interface between MySocrates and the 401(k) providers Web site, GM chose to use JSP (JavaServer Pages) technology.
Jackson said federating identity for the portal was easier, in part, because GM used the publicly available Liberty Alliance specification.
“Since youre both going through a publicly available specification, youre both talking the same language as youre doing so, which simplifies the issues,” Jackson said. “It also abstracts the simplification of our site to your site—regardless of the identity solution youre using.”
GM is fully deploying federated SSO for 70,000 users of its employee portal. While Jackson estimated the technology should take no longer than two months to deploy, he said legal and business issues may cause the project to take as much as one year to complete. For example, GM still needs to work out what will happen if something goes wrong during authentication.
“There are issues around the business that still need to be resolved,” Jackson said. “But these issues are not limited to General Motors. They affect any company trying to federate identity.”
GM is looking at other services it wants to enable using Liberty Alliance federation. Because the automaker has systematically outsourced business processes, Jackson said it makes sense for it to federate with as many third-party providers as possible.
GM units have built systems using a standard set of products, but each has its own solution, such as a portal for the engineering division and another for manufacturing. Because of this, Jackson said, federation may also be handy internally. “General Motors is a big business to run globally,” he said. “Rather than try to build one large infrastructure for the entire company, it may make more sense to federate.”
Senior Writer Anne Chen can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.