As always, I am constantly talking to new people about Identity Management in the Enterprise. We always talk about the usual topics; provisioning, authentication, authorisation, audit etc. More and more recently I have been asked by people what my thoughts are on OpenID. Previously, these types of discussions were limited to the hardcore ID people such as the Identity Gang. But now, I seem to be getting asked the question more and more by people within the Enterprise. A number of times it has been people who don’t really understand what OpenID is, other than its one of the ‘new terms’. Others are more informed.
So what do I think of OpenID and its application in the Enterprise……
I think OpenID so far has done a lot for pushing forward Identity 2.0 and has seen a reasonable adoption within the ‘social internet’ (blogs, wikis etc). There is definately a good use case for its application there. However, organisations have not yet really started to adopt this technology. There have been a couple, including Sun who announced an internal OpenID server for employees last year. However, in the main its uptake has been extremely limited.
I have no doubt that eventually OpenID will start to find a place within the Enterprise. However, at the moment, I really can’t see its application within the arena. The problem that I see Enterprises facing when looking at OpenID is the lack of trust in the Identity provider. Anyone can set up an OpenID server (indeed this blog is one) and use it to sign-on to OpenID enabled sites. However, where is the trust that I am indeed Paul Toal when I hit the target site. For enterprise, cross domain single sign-on, federation based on SAML (and the other standards) provides that pre-defined trust agreement. Clearly, what it lacks (and OpenID goes towards addressing) is the user consent.
As long as the trust issue is outstanding I don’t see why Enterprises would adopt OpenID for any transactions of any value (financial or otherwise). There is a big difference from posting a comment on a blog that I have signed onto with my OpenID Identity, to performing a business transaction with an Enterprise partner using my self-asserted OpenID.
The answer to this might be to ensure Enterprises host the OpenID server so that their partners can be assured of trust. However, isn’t that what standard federation today gives us. Do we actually want our employees deciding whether, as an employee their Identity information can or can’t be shared with other business partners?
Maybe I am missing the point (feel free to correct me), but at the moment, I just don’t see where OpenID fits within the Enterprise.