Saturday, August 04, 2007
Use-Case for OpenID and/or InfoCard?
Marco Casassa Mont asked for use cases for OpenID and/or InfoCard within an enterprise context. While I haven't decomposed them to the strict definition of use-case, I will describe scenarios that I envision them being used in...
If I had to name the most important scenario in which OpenID and/or CardSpace would be used, it would be for enterprise applications to consume them. For example, I would like to see HP/Mercury's ITG product allow for signon using a card. Likewise, how about working with Luc Clement to get the Systinet folks to consider enabling their business services catalog to support user-centric notions.
Consumption should be more than just security-oriented products and need to be embedded within enterprise applications we already use. How come saleforce.com and Siebel in terms of CRM products aren't yet on this bandwagon? Why can't Documentum, Alfresco, Stellent or Filenet in the ECM space participate? Wouldn't it make sense of BPM products such as Intalio, Lombardi Software and Pega should have the capability of consuming Information Cards?
I suspect you were looking for business scenarios and who I am to rob you from seeking them. Let's talk about a scenario of a fictitious insurance company whose business models are to insure segways. This insurance company works with a variety of independent insurance agents who have relationships with not only this insurance company but also their competitors. Each insurance company today has different security policies that are inconsistent with its competition and force insurance agents to deal with differences in credential format, expiry, complexity and history making security across insurance companies weak to the point that they have to write things down on big whiteboards within their office.
Wouldn't it be useful if this insurance agent didn't have to have a separate credential for each and every insurance company they do business with but could have one Information Card that they all trusted? Each insurance company could either simply accept a self-issued card or work together to figure out what claims they all desired in common so as to localize information to a single reusable card, so the notion of custom claims is important.
One of the claims that they may agree on is in capturing the notion of licensing information. After all, you have to be licensed by some entity to sell insurance. The funny thing is that you may need to be licensed in multiple states since it is regulated by the individual state governments. Today, there is no way to specify a multi-value claim within either technology.
Likewise, you wouldn't want to simply trust the identity provider as in this model it would be difficult for them to ensure that everything is up to date. You may desire an approach where different claims have the ability for another party such as the state insurance commission to digitally sign the claim and not just signatures originating from the identity provider.
If you were to dig further, you may figure out that that authentication and attributes alone is insufficient and that you may also need to consider thinking deeper about entitlements. An insurance agent may be licensed to sell personal insurance in Texas but not commercial, but may also be licensed to sell life insurance in New Jersey and Health insurance in Indiana. Furthermore, licensing and its relationship to authorization may mean that even though this agent is licensed to sell personal insurance in Texas, he may not be licensed to do so with all carriers.
Hopefully this information helps and will turn into some deliberate action or at least a worthy discussion. I really hate providing insight and not seeing any evidence that my effort actually matters. Hopefully, the likes of Johannes Ernst, Kim Cameron, Pat Patterson, Mike Jones and others will stop thinking about identity solely in context of security products and instead will think about how identity participates in BPM, ECM, CRM, ERP and Portals and will get them to engage in the next conversation that needs to occur. Likewise, hopefully my enterprise architect peers in other enterprises will start sharing publicly additional scenarios in which user-centricity doesn't yet meet the needs of the business.
Enterprise architects need to help software vendors write valuable, high quality software that we will ultimately procure, so let's stop drawing utterly useless four-color chock-a-block eye candy Powerpoint's and start truly enabling the strategic intent of the business which requires us all to participate in a larger conversation that our current focus may afford us...
| | View blog reactionsIf I had to name the most important scenario in which OpenID and/or CardSpace would be used, it would be for enterprise applications to consume them. For example, I would like to see HP/Mercury's ITG product allow for signon using a card. Likewise, how about working with Luc Clement to get the Systinet folks to consider enabling their business services catalog to support user-centric notions.
Consumption should be more than just security-oriented products and need to be embedded within enterprise applications we already use. How come saleforce.com and Siebel in terms of CRM products aren't yet on this bandwagon? Why can't Documentum, Alfresco, Stellent or Filenet in the ECM space participate? Wouldn't it make sense of BPM products such as Intalio, Lombardi Software and Pega should have the capability of consuming Information Cards?
I suspect you were looking for business scenarios and who I am to rob you from seeking them. Let's talk about a scenario of a fictitious insurance company whose business models are to insure segways. This insurance company works with a variety of independent insurance agents who have relationships with not only this insurance company but also their competitors. Each insurance company today has different security policies that are inconsistent with its competition and force insurance agents to deal with differences in credential format, expiry, complexity and history making security across insurance companies weak to the point that they have to write things down on big whiteboards within their office.
Wouldn't it be useful if this insurance agent didn't have to have a separate credential for each and every insurance company they do business with but could have one Information Card that they all trusted? Each insurance company could either simply accept a self-issued card or work together to figure out what claims they all desired in common so as to localize information to a single reusable card, so the notion of custom claims is important.
One of the claims that they may agree on is in capturing the notion of licensing information. After all, you have to be licensed by some entity to sell insurance. The funny thing is that you may need to be licensed in multiple states since it is regulated by the individual state governments. Today, there is no way to specify a multi-value claim within either technology.
Likewise, you wouldn't want to simply trust the identity provider as in this model it would be difficult for them to ensure that everything is up to date. You may desire an approach where different claims have the ability for another party such as the state insurance commission to digitally sign the claim and not just signatures originating from the identity provider.
If you were to dig further, you may figure out that that authentication and attributes alone is insufficient and that you may also need to consider thinking deeper about entitlements. An insurance agent may be licensed to sell personal insurance in Texas but not commercial, but may also be licensed to sell life insurance in New Jersey and Health insurance in Indiana. Furthermore, licensing and its relationship to authorization may mean that even though this agent is licensed to sell personal insurance in Texas, he may not be licensed to do so with all carriers.
Hopefully this information helps and will turn into some deliberate action or at least a worthy discussion. I really hate providing insight and not seeing any evidence that my effort actually matters. Hopefully, the likes of Johannes Ernst, Kim Cameron, Pat Patterson, Mike Jones and others will stop thinking about identity solely in context of security products and instead will think about how identity participates in BPM, ECM, CRM, ERP and Portals and will get them to engage in the next conversation that needs to occur. Likewise, hopefully my enterprise architect peers in other enterprises will start sharing publicly additional scenarios in which user-centricity doesn't yet meet the needs of the business.
Enterprise architects need to help software vendors write valuable, high quality software that we will ultimately procure, so let's stop drawing utterly useless four-color chock-a-block eye candy Powerpoint's and start truly enabling the strategic intent of the business which requires us all to participate in a larger conversation that our current focus may afford us...
