Enterprise Open ID

From IIW

Issue/Topic: Enterprise Open ID (F2E)

Conference: IIW-East September 9-10, 2010 in Washington DC Complete Set of Notes

Convener: Justin Richer

Notes-taker(s): Justin Richer

Tags: openid, policy, use cases, email

Discussion Notes:

Just about every company today hands its employees an email account on the way in, and most also issue a phone of some kind. People can use these to self-identify as a member of their company in the wider world while collaborating with other people. We don't ask people use a personal phone or email address for their work. Why do we make people use personal OpenID accounts? What if companies started issuing OpenIDs and other globally-referenceable credentials to their employees?

MITRE has started to do this with their MITREid prototype system, for MITRE people to use on the outside internet as well as for research prototype systems within the enterprise itself.

Services like StackOverflow drive this first use case, as they will only allow login through OpenID (and similar vendor services like Facebook Connect). Without a corporately-provided identifier, employees would have to use a personal account to interact with the site.

Inside the enterprise, OpenID can act as an additional authentication mechism for apps. With OpenID in particular, there needs to be no work done on the authentication server side in order to support new clients. Many applications come with OpenID support built in today. Oracle had tried to launch an internal blogging tool, but it took over six months to integrate the tool with the enterprise identity system. If an OpenID server had been available, it would have been ready off the shelf.

Policies for this whole realm are as of yet largely unwritten, but may be based off of email as a precedent. In effect, we have to trust end users to a certain degree.

This trust can lead to the "Kitties are fluffy!" problem, where an employee can use their employer-provided identity to make personal opinion statements. Some companies would implement whitelists, others would turn to user education.

It is unclear why most companies are not doing this already, but as adoption is growing for the OpenID protocol across the internet it is becoming more an issue of proper policy management than technological or business support.