Tuesday, November 25, 2008

Corporate OpenID

We'd like to use OpenID in the solution we're developing.

There are currently a large number of OpenID providers, including AOL, the BBC, Google and Yahoo! ... and a lot of individuals will already have accounts with one of these providers. However, we'd also like to offer the same experience to corporate users.

The solution to this seems pretty obvious - corporates should become OpenID providers.

It should also be possible to do this in quite a secure fashion. When an individual uses Open ID to a login site, a few key things happen:

  1. The site contacts your OpenID provider and works out (a) the login location and (b) establishes a secret key for this session.

  2. The user is then redirected to the login location to enter their username and password. This is page of the provider (e.g. GMail), not the site you're actually trying to access. As such, your password is kept between you and the provider alone.

  3. If you're successful, you're send back to the site. The key is used to verify that you've signed in with the provider.

There is clearly a bit more to it than that - you can opt in and out of various things for example - but that's the basic dialog.

There is nothing stopping corporates becoming OpenID providers for themselves. To achieve this, they would put a system in their DMZ to interact with relying parties (i.e. the sites using the OpenID).

The "sign-in" page could be established at a location internal to their network (this is not necessary and is perhaps limiting, but it would increase security). As such, when you hit an external website, you'd be redirected to an internal site to actually log in. The employee's username and password never actually leave the internal network, encrypted or otherwise. This login process would also be (more) difficult to spoof or phish, and remain quite resistant to a lot of DNS attacks.

Even better, such a solution could be single signon (SSO) - using the employee's login session at their workstation, rather than requiring them to enter their username and password again.

Sun already do something similar to all of this- they provide OpenIDs to their employees via OpenID at Work. Although from what I can tell, this is a separate identity, rather than being linked to internal corporate ones.

Microsoft is a big supporter of OpenID - For example, Windows Live will support Open ID. However, I can't find any specific literature regarding a turn-key "Turn your Active Directory into an OpenID provider". As many corporates rely on Active Directory, this kind of solution would be a rapid enabler.

If anyone knows of solutions or initiatives looking into this, drop me a line.

...

jon@jodoro.com

3 comments:

Anonymous said...

Jon & Doug,

Tim from Atlassian here. It was great to meet you both last night. I've been looking through your blog today and there's a lot of interesting stuff here!

This post caught my eye in particular, as Atlassian's Crowd single sign-on product can act as an OpenID provider (and can be backed by an LDAP directory or Active Directory). You might be interested in looking into it.

Good luck with your venture! It sounds like you have some really interesting technology in the works. I hope you'll keep me updated with your progress. (tmoore@atlassian.com)

I'll be posting on Atlassian's internal company blog about the meet-up and about Jodoro. Hopefully some of my colleagues in Oz will be able to meet up with you guys back there some time.

idalyyadao said...

Failure to look at the percentages will annoy the player and end in a loss. If would possibly be} betting on the Banker hand, you must pay off your commissions before you allow the table. Dragon Bonus pays when your hand is a natural winner or wins by a margin of a minimum of|no much less than} four factors. The downside is that uneven outcomes and early losses can depart you worse off in a development than with flat bets. The result is more massive wins offset by much more small losses. Perhaps it’s as a result of|as a end result of} you haven't any|you don't have any} selections to make 룰렛 on whether to draw cards.

Anonymous said...

Once you’ve carried out that, there’s no want to visit the “regular” model of the on line casino again. But it’s also glorious on cell and offers a strong variety of general on line casino video games – 메리트카지노 and it’s at the prime of the tree for us. To be able to|be capable of|have the power to} efficiently addContent apps to the Google Play retailer, developers have to have a valid license for the precise nations they're focusing on and comply with their regulations.