Sxip has demostrated their version of federated authentication at the Dreamforce (Salesforce.com’s show) [article here]. This is one way of doing federated authentication/authorization and there are several technologies in this field. The most notable is SAML (and XRI). Sxip is one of vender proprietary technology. There are other open source initiatives such as OpenID and LID.
When we think about it, ASP vendor generally is a service provider and user authenticaton is not their core competence. In fact, Authentication (AuthN) can be done by the identity holder and the service provider only needs to accept or reject the assertion that this identity owner brings to the service. This is called Authorization (AuthZ). The problem then is how and who would provide such an Identity.
Perhaps the reader might have heard the words “Theirdentity, Ourdentity, Mydentity”. This is the word spoken by DOc Searls at the Digital ID World three years ago.
Theirdentity is the ID that is being assigned inside the corporations to organize such data as the data for direct marketing. It is the ID that only these companies can utilize and we, the identity owner, cannot use.
Ourdentity is the identity that is being shared between us, the identity owner, and the entity that assignes the ID, such as the company that employs us (employee number) and Banks (account number). We can use it, but we are not the controller. This ID is controlled by the company that assignes the ID, and can be revoked anytime.
In contrast, Mydentity is the Identity that we control. For example, obtaining a domain and creating a mail address for myself is the act of creating one mydentity. Idealy, we should be able to use these mydentity to consume any services provided on the internet, i.e., being authorized. The tide is flowing this way, and this indeed is Identity 2.0.
However, managing mydentity in a secure way is not a trivial task. Most individuals would not have skil to do this. This leads to the idea of Identity Hosting. In this case, Identity Hosting company is only being entrusted the management and the company would not have any right over the identity, i.e., it does not controll the identity. It is us, the indevidulas, that controlls the identity.
Under such circumstances, we have to consider the trustability of the identity hosting company / entity. We would also have to think about the cases when this company gets bankrupt etc. What XDIORG does is to put the legal and contractual as well as technical infrastructure to cover such cases, such as creating the minimum standard of the service implementation, creating the rules so that one can move to another hosting company when needed, setting up escrow relationships so that people will not get caught by the sudden death of the hosting provider, determining what kind of insurance plan that hosting provider must purchase, etc. We need to vigorously think about those social fabrics. Technical considerations alone is not enough.
By the way, technically, to achieve this kind of infrastructure, SAML alone is not enough and we have to have other technologies that assists the resolution of the authentication provider and determine the reputation of such. One candidate for such technology is XRI/XDI which is being standerdized at Oasis Open, the same institution that SAML got standerdized. XRI is a URN scheme that has built in delegation framework and a portion of it (XRDS) is being used as the centerpiece of a href=”http://www.yadis.org/”>Yadis, which is being used by OpenID, LID, and inames.
Now, this article by Sxip says “Sxip Access makes infinitely more sense then a heavier federated solution, since it is significantly faster and easier to get up and running and allows logins anywhere, such as accessing Salesforce from a Blackberry. Which is simply not possible with a SAML-based federated method.” I am not quite sure of this. SAML has very rich feature, but we do not have to use all of it. The heaviness comes from the feature rich-ness and its implementations. If we use the minimum requirements, it does not have to be so heavy — well, sort of, given the security mechanism required for this kind of things.
Right now, at my company, we are creating an Apache modules which works as SAML Assertion Provider and Consumer. Consumer sides exports the identity into the environment variables in the manner basic authentication does, so existing applications can use it without being SAMLized. I think this is very useful to integrate the huge amount of existing web appliations but of course, YMMV. Do you also think this would be useful?