I have been asked on a number of occasions for my thoughts on how user-centric identity can apply to employees within the enterprise. This is usually just a poorly disguised technology question (i.e. what are CardSpace and OpenID). On occasion I have had to take this further and explore peoples varying definitions of user-centric identity and relate that back to an enterprise employee setting. There are valuable things some enterprises will do with user centric identity for their customers, but trying to put user-centric identity concepts entirely within an enterprise setting feels like a bit of a stretch in the near-term.
• User centric implies user control. This is in many cases the inverse of what most enterprises want, but not to say that there aren’t scenarios where a new approach will not add value.
• User centric implies self asserted information. Enterprises already know everything they care to know about their employee. With the exception that it’s possible that a third party could attest to a user identity maintained in the cloud or on some keyfob, and that user could bring that identity into the enterprise when they are hired on as an employee or contractor. But we’re a ways off from a robust enough ecosystem and trust model to support this in mass.
• User centric implies user choice of identity provider. Within the enterprise, HR and Active Directory are the authoritative IdP, and the enterprise likes it that way. While the enterprise might allow their employee identities to be used outside of their company that identity will no doubt be contingent upon employment. In 99.9% of cases today, the employee does not get a choice of IdP, and that’s not likely to change anytime soon. Investments in employee strong authentication will only further centralize this point.
• User centric implies simplicity and SSO. The enterprise has been trying to solve this for 20 years with Kerberos, E-SSO, SPNEGO, WAM and SAML. While there are a few new themes with user-centric scenarios, I don’t believe anyone thinks that there is a new silver bullet here.
• User centric implies identity for Web 2,0. The enterprise is going there, but web 2.0 enterprise products will be forced to integrate with the existing identity/security infrastructure inside the enterprise. I don’t think Web 2.0 will drive Identity 2.0 inside the enterprise.
• User centric implies user privacy. This is one area where enterprises may look to defer liability/risk/cost associated with protecting personal employee information.
Points well made... This has come up recently with a government client of mine. A vendor, promoting information cards, stated that user managed identities were key to their strategy.
Okay, maybe I'm old school, but how far can this be extended before the value of that identity becomes pseudo-anonymous, and therefore useful for access to only the most basic information? And if Company A is going to vouch for an ID issued by Company B, what kind of agreement will they need to negotiate to address liability concerns?
The exception, I suppose, would be if the IdP were a national government. In this case, Company A would have more comfort in accepting the user-supplied credential -- at least there would be meaningful recourse if something went wrong...