One of the reasons behind launching SignOn.com was to compare and contrast different identity protocols. There are things that you can learn by reading the specs. And then there are things that you can learn by deploying/implementing the specs.
We have had support for OpenID and Information Cards for a long time. With the latest release, we have added support for SAML by leveraging PingFederate.
Additionally, we have integrated with Google Apps. Google Apps is a service from Google that features applications for mail, calendaring, docs etc.
This allows SignOn.com users to
Add Google Apps services to their SignOn.com accounts (e.g. you can have an email address like firstname.lastname@example.org that’s hosted by Google Apps).
Single Sign-On to Google Apps via their SignOn.com credentials (username/password or Information cards).
Your username for Google Apps will be the same as your user name for SignOn.com. For example, if your SignOn.com username is joe, your email address will be email@example.com.
In order to enable your SignOn.com Google Apps Account, do the following:
Login to SignOn.com (register if you don’t have an existing account).
Go to My Profile tab and make sure that you have your firstname and lastname populated (we need this information to create your Google Apps Account).
Go to My Accounts Tab.
Scroll down and you will see ‘Partner Accounts’. Click Add. This will enable your account with Google Apps.
Go to the home page again. And you should see another link e.g.<username>@signon.com. Click on this and this will take you to your mailbox.
For the first time access, you will have to go through Google CAPTCHA to complete the registration process with Google Apps.
For future access, you can either go to your SignOn.com home page and click on Google Apps links (IdP initiated SSO).
Or you can access Google App services directly by going to the following URLs, and it will redirect you to SignOn.com for authentication (SP initiated SSO).
Slideshare doesn’t handle animation very well. So here is a run-down on the final demo.
In addition to demonstrate inter-operability with other vendors, I was able to show how to login to Google Apps, using SAML IdP/Infocard RP from Ping, CardSpace from Microsoft and an information card from Sun. In terms of platforms, Sun’s server was running on OpenSolaris, Ping’s on Linux, CardSpace on Windows XP (which in-turn was running on Mac OS X) and Google’s on ‘whatever they run over there’.
I’ll be at RSA Conference next week participating in the following events.
Concordia What: The current goal is to demonstrate that SAML, WS-Fed and Information cards can co-exist and some of use cases where it makes sense. For instance, if you already have a federation setup (using SAML or WS-Fed), you can leverage Information Cards as an authentication mechanism and tighten the security. Similarly if you are planning on authenticating using an Information Card, you can extend the reach (and hence get more value for your investment) by federating using SAML/WS-Fed. Who: Fugen, Internet2, Microsoft, Oracle, Ping Identity, Sun, Symlabs. When: April 7th, 9AM-12:30 PM Where: Red Room 302, Moscone Center North/South, Esplanade level
OSIS What: This is an interop event where you will get to see most (if not all) of Information Card as well as OpenID providers and consumers. What started off as an informal interop session at IIW, now has 57 participants. A lot of credit for this goes to Mike, Dale and Pam for continuing to encourage (read harass) other participants. Who: 33 Companies. 24 Projects. 57 Participants. When: April 8th, 9th. Working session 11AM-4PM. Demos: 4-6PM. Where: Mezzanine Level Room 220, Moscone Center.
Mix-it-up What: This has now established itself as a standard event at the main identity conferences. This is where we leave the vendor, customer, big enterprise, small company hats behind and just have a good time. Most end up getting wasted and missing out on their next day appointments. Who: All available. When: April 8th. 6-8 PM (it’s not really going to end at 8). Where: 111 Minna Gallery (Tel: 415.974.1719).
I’m back from IIW2007B. As always, there was a lot of energy, lot of discussions and lot of networking. OpenID 2.0 was announced. OAuth 1.0 was announced. There were quite a few sessions on VRM. Some good discussions on reputation around OPs, RPs and users. I also got to spend one afternoon in the OSIS session where the discussions have moved beyond the “happy path” and the vendors (me included) are ready to tackle the edge use cases around Information Cards.
One of my favorite session was “What’s next for OpenID” led by Dick (Sxip) and Josh(JanRain). Now the OpenID 2.0 is wrapped and shipped, what needs to be improved for the next version(s).
Here are my notes from the session: (if you were there and I have missed or misinterpreted anything, feel free to correct).
Single Sign Out: OpenID allows the user to have a single identifier and get a single sign on experience across multiple applications. RP applications have different session time outs and this results in an inconsistent user experience as well as security issues. The protocol should have a way to “single log out” from all the applications.
Phishing resistant: OpenID has a couple of security issues, phishing being the primary one. It’s very easy for a rogue RP to redirect the user to a fake IdP and steal his/her credentials. There are a few solutions e.g. firefox plugins but it will be nice to have support for it in the protocol (or at least a best practice or recommendation for providers).
User experience less geeky: It may seem easy to some but typing (and remembering) whatever.myfavoriteopenidprovider.com is confusing and cumbersome for non-geeky, non-identity people.
Performance: Too many redirects. Direct authentication to the site using username/password results in a faster experience.
Cardspace – OpenID integration: CardSpace and OpenID are both addressing one fundamental problem – “Reducing Password overload”. Both have their strengths and weaknesses. It will be nice to have some convergence.
Identifier control: This is the identifier recycling issue plus some additional concerns. e.g I have my own domain name that I have redirected to my favorite OpenID provider. RPs may attach my identifier (i.e. my domain name) to my account at the RP. If I forget to renew my domain name (or I get hit by the bus), someone else may acquire my domain name and thus get access to my account at the RP.
Non-browser authentication – Ability to authenticate to non-browser applications.
Consolidation / Synonyms – If a user has multiple OpenIDs, then the RPs should allow attaching multiple OpenIDs to the same account.
Identifier management – The users may already have an OpenID identifier from AOL,Yahoo etc. but don’t know how to use it at the RP. This is a usability issue for the RP sites.
In the past, if you raise issues like “phishing”, the standard response was “this is a problem with SAML too” OR “this is out of scope for OpenID”. It was refreshing to be able to openly discuss the weaknesses and figure out ways to improve the protocol. I consider this a sign of maturity.
Suiwo, the disciple of Hakuin, was a good teacher. During one summer seclusion period, a pupil came to him from a southern island of Japan.
Suiwo gave him the problem: “Hear the sound of one hand.”The pupil remained three years but could not pass the test. One night he came in tears to Suiwo. “I must return south in shame and embarrassment,” he said, “for I cannot solve my problem.”
“Wait one week more and meditate constantly,” advised Suiwo.Still no enlightenment came to the pupil. “Try for another week,” said Suiwo. The pupil obeyed, but in vain.
“Still another week.” Yet this was of no avail.In despair the student begged to be released, but Suiwo requested another meditation of five days. They were without result. Then he said: “Meditate for three days longer, then if you fail to attain enlightenment, you had better kill yourself.”
Paul lists some Reconciliation ideas in a recent blog entry. His post raises two issues:
Why does SignOn.com require the profile information in the card (even though the site has the information already)?
As an RP/SP, how do you deal with the user’s profile information? Do you keep a copy? Do you ask it every time from the IdP? How do you handle claims freshness, expiry, etc?
The second one is a bigger question since it is dependent on several other things like RP business model, IDP/RP relationship etc. We need to have a F2F session to drill down on that one.
Let me attempt to answer the first one. We did spend a significant amount of time on this particular subject before coming up with what we have. It’s not perfect but it’s the best among the choices that we had.
If you (or anyone else) have a better idea to address this, please share and beers are on us next time we meet.
we wanted our users to have the option of registering multiple cards (one for work, one for home etc).
Once the user has registered a card with SignOn.com, he/she should be able to go to the My Account page, look at the registered cards and quickly determine if a card has already been registered.
We prototyped 3 ways to address the requirements:
Display PPID – This option will require the card to only have a PPID (every personal card has one). And then under My Account, the user will see a list of PPIDs. In case you haven’t seen, this is how a PPID looks alike – 7n+eg3TBKNP1ylqPrksKmS0xB8uyhTVX36XcdiEDdk0=. Needless to say, it isn’t exactly user friendly. Additionally, the PPID is created on a per site basis. In order to see the PPID, the user has to submit the card to the site. Therefore if the user likes to verify if a card has already been registered, he/she has to invoke the card selector, select a card and submit it. 3 clicks only to find out if the card has already been registered.
Card name / label – At the time of registration, allow the user to enter a card name or a label to identify the card. The CardSpace client has a card name associated with the card. However, when a user submits the card to the site, the name does not get transmitted to the site. Therefore the name/label at the site has to be a completely manual process and will have no link with the card name in the identity selector. (We could have used nickname as the card name, but it meant overloading the claim and we didn’t want to go that route).
Additional claims – Ask for more claims from the user (e.g. firstname, lastname, email address) and hopefully that will give the user enough indication if a card has already been registered. It still has the problem since the user might have multiple cards with the identical claim values.
We had an independent team perform a usability test on the 3 prototypes and they preferred option 3. Personally, I would have preferred a way for the cardspace client to send the card name to the site and then pick option 2.
Net/Net as it stands today, we aren’t using the claims in the card to map it to the user’s profile data but merely as a visual clue for the users to look at their registered cards. If you have a better idea, I’m all ears.
To try out the demo, go to DIDWDemo, get yourself a card and ‘Go shopping at Starbuzz Coffee’. You need to have IE7 and MS CardSpace to checkout the demo (the bank site doesn’t support Firefox).
From the outside, it looks like any other ‘Managed Information cards’ demo. But behind the scene, the merchant site and the issuer are integrated with ACI’s Access Control Server and Payment engine. In the coming weeks, we’ll allow the user to monitor the transaction details between the merchant and the issuer.
For more information on the concept, checkout Sid’s post here .
James mentioned another reason for relying parties’ lack of support for Information Cards. Wanted to add more thoughts on that:
I haven’t seen many consumer based web applications that leverage the web access management products. I may be wrong but the WAM products are more in use for the internal/enterprise centric applications.
The access management products that you have listed provide authentication modules (and the SDK) which allows other authentication schemes to be hooked. Therefore, it’s not a big deal to create a custom authentication module/scheme for Information cards and then create the appropriate token/session.
We demonstrated a similar use case at Catalyst last year where you can use an information card to login to a Siteminder or CoreID domain. Behind the scene, you retrieve claims from the information card, contact the access management server and then create the appropriate token.
CA (Siteminder), Oracle(CoreID) and IBM (TAM) were all part of the OSIS interop demo at Catalyst in June. And Sun has demonstrated a CardSpace extension to their OpenSSO offering too. I don’t know when these products will be commercially available but I’m sure you know that a real customer/requirement can change priorities pretty quickly in the vendor world.
Let us know when you are ready
Noticed from Kim’s blog that the CardSpace team is blogging. I’m just back from DIDW where I had some good discussions while presenting our Payment Card Demo. So I figured it might be a good idea to compile a list of the things that I heard and share it with the CardSpace team. If I have missed anything, please let me know and I’ll update the list.
Too many clicks In our demo, we showed how can you use a card to make an online purchase with a merchant e.g. Amazon. Once I have my profile setup at Amazon, it takes “1” click to make the payment. With Information cards, it takes “5” clicks. Everytime.
UI too techie
The whole CardSpace UI is too techie especially the error messages. Messages like “Personal Card is encyrpted…” and when to ‘retreive’, ‘preview’ or ‘send’ a card are all technically correct… but explain that to my grandmother in Omaha. (My grandmother doesn’t live in Omaha nor do I think that people from Omaha are dumb…but you get my point).
This is my personal pain point. Since launching SignOn.com in July, I haven’t used the username/password option while logging on to SignOn.com. However, the CardSpace client is too slow (especially during the first invocation). At times, I wonder if I clicked it or if the site crashed. The auto-form-filled username/password option is so much more convenient.
Relying parites see no reason to support CardSpace at this time, since there is hardly any user adoption. “<grin>I’ll implement it when more than 5% of my user base can use it</grin>” is the standard response from the application providers. From the user perspective, “<chuckle>I’ll install it when there are more than 2 websites where I can use it.</chuckle>”. It’s a Catch 22 but someone has to bootstrap the process. Vista adoption has been slow. One can download it for XP, but the download is over 50MB and there is no reason for an average user to go through this. My suggestion ( talk is cheap ) is to break the CardSpace component out of the .NET 3.0 framework and then push it down to the user’s desktop via Windows update. I know this is probably wrong and breaks a few of the identity laws (user consent etc) but it’s not like you haven’t done something similar to this in the past. Plus it’s for the user’s own good. They just don’t know it yet.
Submit it to a standards body
You have done a great job in opening up the specifications. Other identity selectors like xmldap and DigitalMe are proof that you can have an end-to-end deployment without any Microsoft technologies. However, the CardSpace profile (I don’t know if this is the right term. It was used by one of the attendees) on how the selector gets invoked and how the message gets encrypted, the 14 self-issued claims are still under your control and it will be nice to submit it to a standards body and let others collaborate/contribute.
Open up your road map / bug list
I understand that you have a lot on your plate and you are working as hard as you can to get the next version out. However, it will be nice to get some transparency into your roadmap / bug list on what and when you are planning to release. I’m not asking for an exact date for the CardSpace 2.0 release, but it will be nice to get what month/quarter do you plan to release and what are the top 5 features that we can expect. If you can open up you backlog/bug list to the public, that would be awesome.
Get some awareness
Something on the likes of spreadfirefox.com. The OpenID foundation did a great thing by starting the bounty program. Native plugins for Joomla, Drupal, WordPress and the likes will really make it easy for the site owners/deployers. I understand some of this is in progress. The Catalyst event in June and the one coming up in Barcelona are a step in that direction. But it will be nice to get the ‘13 year old army’ (learned this term while attending a Boulder Barcamp) behind you. BTW…last time I checked spreadcardspace.com is still available.
Open/Free RP toolkits
This relates to the previous point. It takes a weekend to get an OpenID library, deploy it and test it. It takes over a week to understand the specs around Information Cards. Some drag and drop library where the installer/deployer doesn’t really need to know the inner workings will really help.
This issue has to be addressed (if not resolved) before calling CardSpace a real, production-ready, mature, ready for mass deployment technology. I know that cards can be exported and imported but it’s not practical. A way to carry my selector on a USB key or a smart card based selector or a mobile based solution or a service in the cloud with one click sync.
Get the terminology right
I understand the difference between CardSpace, Information Cards, Infocard, Idenitity Selector, Identity Agent, Digital Me etc, but it causes confusion. When building SignOn.com FAQ, we looked around for an official definition for ‘Information Card” and found none. Our tech writers eventually came up with this. Have an official one page to explain the terminology and then heavily reference that page everywhere.
This is at the bottom of the list. You can always add features and still have some more to add. I don’t think it’s the features that’s hindering the adoption. All of the below items will be good to have but some real world deployments even with limited use cases should be higher priority. Here is a partial list of the features that came up:
Allow for mutiple issuers for the RP.
Allow for RPs to transfer information to the IdP at runtime. I know this can hacked a bit by setting ‘RequireAppliesTo’, but I would like to be able to pass proper data structures both ways.
Ability to either modify or extend the CardSpace GUI.
Ability to allow for other type of authentication methods e.g. OTP.
Allow the user to shut-off the cardspace invocation on a per RP basis. I agree with the user consent et all but it does get annoying on frequent use.
I strongly believe that CardSpace/Information Card is a great technology. Kim, Mike and the rest of the Microsoft folks have been very open and supportive in sharing information and resources. Most of the people I talked to, shared the same sentiment. We even had a round table on CardSpace/OpenID during our User group session after DIDW and everyone can see the potential. I hope we all will be around to see that happen .