Catalyst Concordia Workshop June 26, 2007 Theme Summary

Owned by Former user (Deleted)
Last updated: Sept 08, 2009Version comment
3 min read

Five deployers (AOL, Boeing, Government of British Columbia, GM, and the US General Services Administration) presented in the morning (presentations being added as permissions granted), on their various use cases requiring harmonization of specs and protocols. Several folks have blogged their own summaries: Pat Patterson, Mark Wahl, and Mark Dixon.

The use-case presentations from the June workshop are here:

  • AOL slides: Media:AOLConcordiaWorkshop06.26.07.pdf, presented by George Fletcher, exploring three main use cases: 1. Seamless sign-in/sign-out experience; 2. Identity agents to hide protocol issues; and 3. Service invocation across protocols
  • Boeing slides: Media:BoeingConcordiaWorkshop06.26.07.pdf, presented by Mike Beach, exploring three main use cases: 1. Internal Domain Integration; 2. Standards enabled endpoints; and 3. Nested federation
  • Summary of GM slides: Media:GMShortConcordiaWorkshop06.26.07.pdf‎, presented by Jim Heaton, summarizing some of the aspects of harmonization discussed at the workshop
  • Government of British Columbia slides: Media:GovtofBritishColumbiaConcordiaWorkshop06.26.07.pdf‎, presented by Ian Bailey, exploring 1. Citizen centred service and 2. A connected workforce
  • US GSA slides: Media:USGSAConcordiaWorkshop06.26.07.pdf‎, presented by Georgia Marsh, exploring these challenges: 1. Simple SAML interoperability, 2. Metadata distribution, 3. Trust anchors, 4. Activation/account linking, and 5. PKI attributes-> SAML, and culminating in an interfederation use case

The group then brainstormed in the final hour on common themes and next steps.

Common Themes

  • Don’t want to know what credential is needed for what environment
  • What is the function of a “hammer versus screwdriver” (ie. if a current spec can accommodate something, why bring yet another new protocol to the market)
  • Plumbing should be transparent
  • Partners will always have something different
  • Needs to scale
  • Session time-outs
  • Non-tech issues are more often more difficult than technical issues
  • No longer a single “knowledge point” w/in organization – multiple sources for PII
  • As values & risk scale, system needs to have assurance levels
  • What is the purposeful nature of this interaction?

Usability:

  • Account provisioning & linking is not well understood
  • User experience concern is a dramatically growing drumbeat
  • If people are confused, they will make the wrong decision
  • Unless you test it, you can’t be sure it will work (the converse is true)
  • Need for independent Interop testing
  • Downward scalability of services to small business – need for outsourced services
  • Leverage OS authentication into environment
  • Manual effort to scale (ala PKI)
  • Distributed admin is falling out of favor – customers don’t want to manage details of authorizations (in multiple id repositories)
  • Need to have user-controlled Ids for novice users – protect the user from themselves – but when they get somewhat more savvy, they drop out – slows the market growth
  • Deployers often don’t implement entire spec (example: SAML2) – specialized deployments use more of spec in order to scale e.g. metadata
  • Need to draw a line between product Interop & business best practices
  • Need to improve quality of initial authentication – privacy concerns – user experience is getting worse & worse
  • Need clarification of privacy models
  • Portability of identities across devices
  • Blending of identities occurring: need to make use of OpenID functionality, for example, as consumer identities blend with corporate IDs
  • Presence/idleness/location/on-line?/location-based access rights
  • Claims linking to authoritative sources

Next steps?

  • Scale interoperability capabilities up to higher level – working groups should form to do that
  • Move beyond point-to-point connectors to achieve common ground to achieve security and SSO across all platforms
  • Industry-based workgroup to tackle inter-federation both as technology and business issues
  • Inter-federation between corp & govt entities
  • Someone should work on usability best practices
  • Improve user experience ‘the ceremony’ (micro & macro) – make the plumbing transparent – take a lesson from the iPod & ring-tones
  • One size will not fit all – guidelines need to go beyond current state