Project Concordia Has Its Work Cut Out For It

I attended the Project Concordia workshop yesterday, ahead of the Catalyst conference. I mentioned the project in a blog post last week; it has the worthy goal of trying to initiate efforts that make sense of the competing standards and methodologies that exist in the identity world. I found myself enjoying the kind of lively discussion that makes you glad to be part of such a dynamic community. Built around 5 use case presentations done by organizations deploying identity solutions today, the goal of the workshop was to identify the protocol interoperability challenges that these implementations are facing and what needs to be done to solve it.

The use cases presented by AOL, Boeing, Govt. of British Columbia, GM and US-GSA were quite detailed and very articulate with regards to the challenges being faced in their deployments. Since the discussion was one of standards and protocols, the discussions focused primarily on the authentication and federation pieces in the identity management puzzle (as those standards are the most evolved in the identity space).

Some common themes emerged in the discussions:

• Usability of the authentication process was identified as an area that is greatly lacking, and potentially needs some work by the standards bodies. The whole idea is to make the life of the end-user easier. Users shouldn’t have to worry about which credential they need to use, but should still have a choice of which credential they want to use.
• Seemingly at opposite ends of the spectrum, incorporation of the device into the authentication process (reliance on OS authentication) and independence from the device (for portability of identity across laptops, cellphones and kiosks) were identified as being key requirements
• Setting up federations still requires too much investment and time, preventing it from being a scalable solution to the single identity problem
• In the context of single sign-on across web applications, the topics of session timeouts and global logout generated much discussion
• Standards are being unevenly implemented by vendors. All cover the basic aspects of the spec, but none implement the whole spec, usually on edge features, which causes confusion, surprises and incompatibility.
• Everyone agreed that the non-technology aspects of federation are more complex than the technical aspects

The AOL use case was very interesting as it was the only one that was purely in the consumer space, and discussed the role their OpenID strategy plays in it. The others had more of an enterprise feel to them. At the same time, enterprises like Boeing and GM stated that they were actively trying to figure out where OpenID would fit into their business model. GM and Boeing both talked to the issues of deploying federation with 1000s of partners, and for a mobile workforce in manufacturing environments where issues of presence and entitlement management are key. The Govt. of British Columbia presented an interesting challenge of creating a federation with both large and small “organizations”, where organizations is a loose term that not only covers businesses but also small proprietorships like doctors offices, where the opportunity to deploy complex software does not exist.

The use case presentations engendered some lively discussions that were both entertaining and thought-provoking. Mike Beach of Boeing (never one to shy away from creating controversy) questioned the need for interoperability, postulating that maybe convergence of the standards is better. That is the essence of the challenge that Project Concordia faces – how to come up with an elegant, usable solution out of the morass of standards that different interests have thrown into the ring.