Internal and External Identity in the Enterprise

Conference IIW8 Room/Time: 11/G

Convener: Justin Richer

Notes-taker: Ben Sapiro/Justin Richer

Attendees:

Technology Discussed/Considered: OAuth, OpenID, SAML, Hp's authorization thing

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

This topic was intended to deal only with corporate or organizational identities and the need for internal-facing identity (with data like org charts and signature authority) vs. external-facing identity (with data like organizational affiliation and demographic), and not the need for an individual to have multiple personas or identities.

Entitlement vs Identification: internal vs external decision making relative to the Identity Provider.

An interesting SAML implementation (which one?) includes a full delegation train for traceability.

"we don't need an external identity that skips the trust relationship" -- but what about cases where trust is not established between organizations?

Maybe what need is more fine grained access control, and less of a need for identity overall. But: we need some sort of identifier within the RP to trace the user out to the endpoint. Fine-grained authorization means zero login versus single sign-on.

"I should only authenticate people I can identify, that I can throw in jail - if you authenticate people we haven't identified, we have less control - we should pass authorizations for those we cannot identify"

I can as a member of an organization, self-identify as part of that organization to the outside world using legacy technologies (email address, corporate credit card). How do we do this with our current tech that is designed around individuals on the internet?

"We must be careful of confusing the digital identity world with the physical identity": the cards in your wallet are not the same as an InfoCard.

Start thinking about using claims for you internal apps. What about internal unofficial apps that aren't integrated into corporate auth, but need the same level of auth? Corporate systems need to allow for this.