Page Comparison

...

• AOL slides: Media:AOLConcordiaWorkshop06.26.07.pdf, presented by George Fletcher, exploring three main use cases: 1. Seamless sign-in/sign-out experience; 2. Identity agents to hide protocol issues; and 3. Service invocation across protocols
• Boeing slides: Media:BoeingConcordiaWorkshop06.26.07.pdf, presented by Mike Beach, exploring three main use cases: 1. Internal Domain Integration; 2. Standards enabled endpoints; and 3. Nested federation
• Summary of GM slides: Media:GMShortConcordiaWorkshop06.26.07.pdf?pdf‎, presented by Jim Heaton, summarizing some of the aspects of harmonization discussed at the workshop
• Government of British Columbia slides: Media:GovtofBritishColumbiaConcordiaWorkshop06.26.07.pdf?pdf‎, presented by Ian Bailey, exploring 1. Citizen centred service and 2. A connected workforce
• US GSA slides: Media:USGSAConcordiaWorkshop06.26.07.pdf?pdf‎, presented by Georgia Marsh, exploring these challenges: 1. Simple SAML interoperability, 2. Metadata distribution, 3. Trust anchors, 4. Activation/account linking, and 5. PKI attributes-> SAML, and culminating in an interfederation use case

The group then brainstormed in the final hour on common themes and next steps.

Common Themes

...

• Don’t want to know what credential is needed for what environment
• What is the function of a “hammer versus screwdriver” (ie. if a current spec can accommodate something, why bring yet another new protocol to the market)
• Plumbing should be transparent
• Partners will always have something different
• Needs to scale
• Session time-outs
• Non-tech issues are more often more difficult than technical issues
• No longer a single “knowledge point” w/in organization – multiple sources for PII
• As values & risk scale, system needs to have assurance levels
• What is the purposeful nature of this interaction?

Usability:

• Account provisioning & linking is not well understood
• User experience concern is a dramatically growing drumbeat
• If people are confused, they will make the wrong decision
• Unless you test it, you can’t be sure it will work (the converse is true)
• Need for independent Interop testing
• Downward scalability of services to small business – need for outsourced services
• Leverage OS authentication into environment
• Manual effort to scale (ala PKI)
• Distributed admin is falling out of favor – customers don’t want to manage details of authorizations (in multiple id repositories)
• Need to have user-controlled Ids for novice users – protect the user from themselves – but when they get somewhat more savvy, they drop out – slows the market growth
• Deployers often don’t implement entire spec (example: SAML2) – specialized deployments use more of spec in order to scale e.g. metadata
• Need to draw a line between product Interop & business best practices
• Need to improve quality of initial authentication – privacy concerns – user experience is getting worse & worse
• Need clarification of privacy models
• Portability of identities across devices
• Blending of identities occurring: need to make use of OpenID functionality, for example, as consumer identities blend with corporate IDs
• Presence/idleness/location/on-line?/location-based access rights
• Claims linking to authoritative sources

Next steps?

• Scale interoperability capabilities up to higher level – working groups should form to do that
• Move beyond point-to-point connectors to achieve common ground to achieve security and SSO across all platforms
• Industry-based workgroup to tackle inter-federation both as technology and business issues
• Inter-federation between corp & govt entities
• Someone should work on usability best practices
• Improve user experience ‘the ceremony’ (micro & macro) – make the plumbing transparent – take a lesson from the iPod & ring-tones
• One size will not fit all – guidelines need to go beyond current state