DIDW: Understanding CardSpace in the Enterprise
Patrick Harding, Ping Identity
Discuss where CardSpace might work in Enterprise.
Assumption that this will be very helpful in the consumer space.
Federation inside the enterprise is growing. The protocols are mostly over: SAML 2.0 and WS-Federation
Enterprise Federation hubs have enabled 5-10 spokes
Common Enterprise scenarios are : employee SSO to ASP’s, Business partner SSO to enterprise Apps, ASP’s and portals integrating 3rd party services
What is CardSpace
CardSpace is the new identity initiative in Vista: secure visual metaphor for managing identity information
In the enterprise contexst, it is the digital equivalent of your employee badge
Today federation is passive without user control using IdP and Sp with trust via SAML 2.0 Web SSO Proviles, etc.
Microsoft CardSpace, Higgins, SAML 2.0 ECP allow active federation. This allows the user to be involved and opens up new user cases.
Why CardSpace?
- Self-asserted identity information
- Standard Identity and Authenticaiton UI Metaphor
- User can control the flow of information
Scenario 1: Mixing Privacy Domains
Allows federation between work accounts and semi-personal accounts (like 401K accounts)
Scenario 2: IdP Selection / Discovery
Often an employee arrives at a service provider and needs to identify themselves to a 3rd party. I.e. going to your cell phone company and identifying yourself as an employee of a company for specific plans. SAML 2.0 can do this today but not particularly well. Cardspace enables user control into this process.
Scenario 3: Reduce Phishing Risks
Web for authentication is easy to spoof, cardspace can provide a graphically distinct authentication mechanism.
Scenario 4: Strong Authentication
Employees are required to leverage alternate stronger forms of authentication
CardSpace enables a standard UI metaphor for all auth mechanisms
[SJC: This scenarios seem a bit thin and certainly none represent a killer-app to drive adoption. Most of these problems can be solved other ways as the presenter is indicating]
Scenario 5: Role Management
Employees can choose what role they wish to be when accessing an application. Accessing an HR app as a manager, vs an employee, etc.. Simplifies temporary delegation.
[SJC: This is cool though, IT guy logging in as a user, vs. as an admin]
Ashish, Ping Identity
Demo:
Business relationship between enterprise and sales force, webex, 401k, etc.
Not blogging demo, very hard to take notes on this. 
Kim Cameron, Microsoft
-Enterprises are consumer facing
-Many enterprises have relationships with individuals and small businesses
-These are often not central to consumer’s lives, but are still important when important
Think of analysts who have a website and a password, if you are asked to read something you don’t know the password to the site. You don’t normally go there, but when you want to go there, you really want to go there.
Information Card Strengths
Fast acquisition
Intermittent relationships
Risk reduction - anti phishing and information minimalization
With the proliferation of identity pollution there is a concomitant tendency for legislation to affix financial cost to those catastrophes.
With infocard technology you don’t need to store a bunch of information, just the profile. The provider doesn’t need to store the information [SJC: But why wouldn't they? What is their motivation if they gain an economic advantage from having the information]
We don’t yet know all the best practices around infocards but we have some good ideas around how this will work.
Let’s assume more folks start using information cards. if large internet sites enable billions of users, there might be increased pressure to adopt information card for external relationship. Does it make sense for your enterprise to do something different than the enterprise employees might expect (especially in this age of de-perimeterization)
The Identity metasystem model
The identity provider, the user, and the relaying party all are able to trust one another but the user stays involved.
The model of “create a user” is broken and makes no sense. Yet this is what happened in the old domain based model. This gets really unpleasant when there are multiple domains. Federation model implied that these multiple domains could create trust relationships
Then you wind up in this meshed enterprise model which isn’t just several domains but large numbers of domains.
Empowering Users to address this problem
Achieving access control while granting access has been really really hard.
Conclusion was to disappear the user from any involvement - including the buisiness uints
General solutions require increasingly complex policies
I believe in an alternate approach - make it easy enough that users can grant their own access - albeit under adult supervision
Trust is local, and contextual. The resource owner makes the trust decision, though he might delegate. Still a matter of them controlling the access. The business units should be able to make these decisions, not IT which has been impossible as it is too hard. Information Cards can make this much easier.
Conclusions:
Simplification and visualization allow us to devolve control to the owners of resources
Give the benefits of a single user experience at home and in the enterprise.
Technorati Tags: Digital ID World, identity, Infocards