I came in late (east coast early morning sessions are hard the first day) to a session on identity management to hear Bob Morgan talking about how we’re likely to see two different kinds of federated identity management in the future: one that is driven by compliance and legislation where there are a small number of large identity providers at a national level; the other being lots of small loosely-federated identity providers in an ever-shifting tapestry as needs require.
Now Kirk Brown from Sun is talking about their concept of federated identity management. While there’s not a lot of detail here, it strikes me that their solution is a broker between multiple identities and identity providers. The example he gave of this in use is at Wells Fargo in their bill-paying service, which brokers lots of identities behind the scenes.
Mike Jones from Microsoft describes himself as a “protocol evangelist” within Microsoft. He’s talking about how identities work within contexts – coffee cards work at a given coffee stand, bank cards work at an ATM, etc. He gives the old example of using a SSN as a student ID as an example of misuse of a context. The lessons MS learned from Passport. Posport was designed to be an identity provider for Microsoft’s online properties – where it’s been a huge success (250+ million users). But it was also hoped to be a global Internet id provder – where it was a complete failure, for social and political reasons, not technical.
Mike is going through Kim Cameron’s Laws of Identity. The conclusion they came to from those laws is to define a Metasystem of identities – something that will do for identity what IP did for defining a common layer of internetworking. Like IP did not replace ethernet, this metasystem will not replace SAML or Kerberos or X.509. This is the basis of WS-Trust and WS-MetadataExchange web services. He showed a mockup of how this might look to a user, where information about the identity of a site is presented to the user for their perusal so they can decide to accept it or not, and then the user can choose which of many of their identities they want to present back to the site. They’re talking to Apple, Mozilla, Sun and others about these protocols.