One of the primary bottlenecks to building Federations with thousands or tens of thousands of Federation members is the manual nature of connection management. In general, establishing and maintaining a partner connection requires the Federation administrator to manually change settings in the Federation server, and frequently these settings change at least annually for each connection.
There are at least 3 different ways to mitigate the burden of connection maintenance:
Self-Service Portal: While this approach can work for either identity providers (IdPs) or service providers (SPs), today SPs generally feel the pain of connection management more acutely. A single SP might have thousands of IdP partners. To alleviate the resulting burden, SPs can create a self-service portal for the identity providers (IdPs) that wish to use the service. This effectively places the burden of connection management on the shoulders of the IdPs.
Identity Proxy: In addition to other benefits (eg., protocol translation and IdP discovery), an identity proxy may provide the service of connection management on behalf of its users.
Metadata Registry: The use of a Metadata Registry provides a means for automating connection management without the use of an Identity Proxy, and provides a critical component needed for Federations at Internet-scale.
In this short video, I discuss these different models for Federation connection management, and highlight technology being built by Ping Labs that promises to enable Federations at Internet-scale.