Knock, Knock – Who’s There?Towards Federated Authentication

Leigh DoddsChief Technology Officer, Ingenta

Society for Scholarly PublishingSan Francisco, June 2007

The Identity Problem

Too many passwords

…Flickr & YouTube & FaceBook & MySpace & LiveJournal & LinkedIn…

Identity Silos

Vendor Lock-In

E.g. Microsoft Passport

Single Sign-On can solve these problems

Single Sign-On = Federated Authentication

Knock, Knock

Who’s There?

Dude..It’s Me…

Who Says?

Er…Ask That Guy…

Hey, do you know this guy?

Dude, that’s Leigh

Respect Mah Authoritah!

Oh, OK. Thanks

Hi, Leigh…

There’s More Than One Way to Implement This

User

Service Provider

Identity Provider

Where Things Differ…

• How do we know who the user’s Identity Provider is?

• How do the Service Providers and Identity Providers talk to one another?

• What information does the Identity Provider expose about the User?

• Can we trust the Identity Provider?

• How does the Identity Provider authenticate the user?

OpenId

• User-centric

• Simple to implement

• Growing number of open source toolkits

• Rapid adoption in web community

• Does not address trust issue

Shibboleth

• Library-centric

• Complex to implement

• Open source software plus commercial options

• Growing adoption in library and publishing communities

• Introduces element of trust

Conclusions & Further Reading

http://del.icio.us/ldodds/tag/ssp-2007-06