O'Reilly logo

Digital Identity by Phillip J. Windley

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required


In late 2000, Governor Michael Leavitt of Utah asked me to serve as his CIO and a member of his cabinet. Governor Leavitt had a strong belief in the power of e-government to transform government operations and thought that my private-sector experience as CTO for an early e-commerce start-up, http://iMall.com, and then as vice president of product development at was just what was needed to help build e-government in Utah.

I spent almost two years working on that vision and building an infrastructure to support it. While I was CIO, I struggled to learn how to build flexible, interoperable infrastructure in a large, loosely coupled organization. Many of the issues we faced, such as privacy, naming, directories, authentication, and digital signatures, were identity issues. Many more of them were about how to execute an enterprise strategy in a decentralized organization. State governments are not alone in those challenges.

I have a deep respect for the power of digital identity, and I am convinced by my experiences in e-commerce and as CIO that digital identity was a foundational element in modern IT systems. I can’t imagine an agile, business-responsive IT infrastructure that doesn’t have at its core a flexible, interoperable identity infrastructure.

Not long ago, Doug Kaye sent an email to a group of folks that said, essentially: “The world needs a book on digital identity. Would any of you like to write it?” I thought that sounded fun, and this book is a direct result of Doug’s question.

Throughout this book, you’ll find stories from my experiences as a CTO and CIO that illustrate identity concepts. Interestingly, when I had those experiences, I wasn’t usually thinking about digital identity. Consequently, I was surprised to find that many of my past experiences were directly related to the subject of this book. In relating these experiences, I don’t want to take undue credit for what happened. Literally hundreds of people participated in the experiences I relate, and I’m grateful that they did. I learned a lot.

Who Should Read This Book

This book is designed to familiarize CIOs, IT managers, and other IT professionals with the language, concepts, and technology of digital identity. As I said, I believe that managing digital identity is one of the most fundamental activities in IT and that a good identity management strategy is the key to not only protecting the enterprise from attack, but, more important, providing flexible access for partners, customers, and employees to needed information and systems.

The concepts in this book apply equally well to a wide variety of organizations. While this book primarily talks about digital identity in the context of business, the concepts are as applicable, and opportunities as great, for non-profit groups and government agencies. As I mentioned, my experiences cover the public and private sectors as well as large and small organizations. When I use the word “enterprise” in this book, I mean any business or organization—for-profit or not. The term can even apply to business units, provided their decisions about identity are relatively independent from other business units in the larger organization.

This book is not a book with code examples and recipes for building digital identity management systems. Even so, it is a technical book that explains the technology of digital identity in some detail. More importantly, the book puts the technology in context and shows how it can all be put to the task of managing digital identities inside your organization.

The book is divided into three sections. The first section is about the core concepts in digital identity, including privacy and trust. The second section discusses the technology of digital identity. The third section portrays in some detail a process, called an identity management architecture (IMA), that you can use to build a digital identity infrastructure in your organization, regardless of its size or organization. The information in the last section is prescriptive in nature. Because of my experiences, I have a clear philosophy on how to build an IMA. I present a rather a detailed series of steps that show how to create an IMA and how to use it.

Conventions Used in This Book

The following typographic conventions are used in this book:


Used for file and directory names, email addresses, Unix commands, and URLs, as well as for new terms where they are defined.

Constant Width

Used for code listings and for keywords, variables, tags, functions, command options, and strings where they appear in the text.

Constant Width Bold

Used to mark lines of output in examples.

Constant Width Italic

Used as a general placeholder to indicate items that should be replaced by actual values.

Comments and Questions

Please address comments and questions concerning this book to the publisher:

O’Reilly Media, Inc.
1005 Gravenstein Highway North
Sebastopol, CA 95472
(800) 998-9938 (in the United States or Canada)
(707) 829-0515 (international or local)
(707) 829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:


To comment or ask technical questions about this book, send email to:

For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:


Safari Enabled

image with no caption

When you see a Safari® enabled icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.

Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.


This book would have never happened without the encouragement, help, and advice of Doug Kaye. I’ve mentioned his original question that motivated the book. He also provided valuable coaching and mentoring, as well as served as the book’s first editor. I’m grateful for his guidance and friendship.

Bradford Windley drew the picture of the trebuchet in Chapter 1.

Some portions of Chapter 12, on federating identity, are adapted with permission from Scenarios for Identity Federation & Drivers of the Identity Network by Linda Elliott and Eric Nolin of Ping Identity Corporation, Tom McKenna of SRI Consulting Business Intelligence, and Kevin Werbach of the Supernova Group LLC.

I’m grateful for the help of Gary Daemer of Booz Allen Hamilton who provided valuable information and advice about the maturity model for identity discussed in Chapter 15.

Burton Group and Jamie Lewis, in particular, were very generous in letting me use their ideas in writing Chapter 19 on reference architectures. I’m also grateful to Jamie for agreeing to write the Foreword to this book and for his insights into the state of the art in digital identity systems and technology.

The technical reviewers offered many thoughtful suggestions that greatly improved the final result. I’m thankful for their efforts.

Lastly, I’m grateful to my wife, Lynne, and my children, Bradford, Alexandra, Jacob, Joseph, and Samantha, for their support, help, love, and mostly for their understanding at the many times I had to say “Sorry, I can’t—I’ve got to work on the book.”

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required