OpenID Issues

Interesting post called OpenID is a Nightmare highlights a few potential problems with the federation model when used in a small business.  The problem is neatly summarised as follows:

Let me just preface this by saying of all the failure points in your business - you really don't want the door to be locked while you stand behind the counter waiting for business. No, let me rephrase that: you don't want the door jammed shut, completely unopenable while your customers wait outside - irate that you won't let them in.

Nicely put!  The main risk is that if you outsource identity, you better be sure it works otherwise you customers cannot access your site.  Looking at how U-Prove could be used to provide authentication to sites, there are some interesting advantages over the classic federation model

The problem with ‘just in time’

In the classic federation pattern a user is redirected to an identity provider to authenticate to be returned with a SAML token.  This is where the problem highlighted above can occur.  What happens if the Identity Provider is having problems, what happens if it changes something? This problem then hits you.

With U-Prove we can provision the client with tokens that can be re-used independently of the Identity Provider.  We of course have to consider revocation and lifetime if we want to move to long lived tokens rather a just in time pattern, but it provides a nice way to remote the business risk of just in time.