Clarify the differences and similarities between federation within an organization vs. across multiple organizations

[MartinFSmith]

The draft identifies benefits of and considerations about federated identity management in the context of cross- or multi-organizational federation. Several of the benefits cited can be obtained by using federation technology within a single enterprise or other organization.

For example, the user convenience of single sign-on can be delivered to employees within the enterprise, as can the benefit of relieving multiple internal resource managers of the burden of maintaining separate user accounts.

These benefits can be obtained within an enterprise without the need for formal "trust framework" agreements because all participants are within a single legal entity with a single hierarchical management control structure to provide recourse and accountability.

However, identity federation within an enterprise does not provide for the large and growing number of business scenarios that require secure information sharing among participants who are not all employees (or otherwise under the legal control) of a single organization. For those scenarios--including sharing among supply-chain partners and interaction with customers, citizens, or government agencies--the benefits of identity federation require agreement on a common trust framework.

The most challenging aspect of a multi-organizational identity federation or a broader "ecosystem" arrangement is governance among legal peers. Technology governance is required to set standards to assure interoperability and end-to-end information security, but most critical is legal governance to manage and allocate risk and liability.

I suggest the above discussion or something like it be included in the draft, perhaps in a sidebar or text box.