Last week I started a discussion within the Identity Gang trying to understand where user-centric identity fits into the corporate world. This has sparked a whole heap of discussion on the topic. Hopefuly, I will try and summarise my thoughts here at some point in the near future.
However, for now I am trying to add some technological detail to the use case.
Taking some of the comments from the Identity Gang on-board it seems to be agreed that the user doesn’t ‘own’ their corporate data, at least not all of it. The data is owned by the corporation since they are responsible and liable for my identity whilst I am working for them.
However, the user should have some level of control when deciding where their identity data (specifically the user-owned data) is released to.
Whether this is by a direct ‘approval’ in real-time (not particularly
practical) or whether this is pre-determined through preferences, policies and profiles can be at a later date.
My next thought is how this could actually be implemented and whether it is practical to implement in the corporate space.
Lets take the example of private health insurance. When I as a a new employee joins an organization I can log on to my local intranet and then federate to my health provider to register for private health insurance. Now, assuming that the health provider is going to want to know information that I consider specifically mine and not owned by the corporation (e.g. date of birth etc), I should decide whether or not that information is released to them. To drop down below the concepts level to actually talking technologies and use cases for a moment, can anyone see a case for implementing a protocol such as OpenID/LID/YADIS etc within a corporation for this purpose?
By using this, I could authenticate to my federation server using my OpenID account and by doing that decide which of ‘my’ attributes I want to make available to the health provider.
Is this a feasible approach or are we over-complicating process unnecessarily? At the end of the day, private health is a benefit for the employee. Do I want to complicate the process of obtaining that benefit? Is there even going to be situation where I don’t give the health insurance provider my date of birth etc because by doing so it would prevent me from getting the private health insurance?
In addition, how then technically do I then get involved in the process of approving the release of my medical records from my GP to my health insurance provider since this is now transactional data and not specifically identity data?
Food for thought!!