Many Pies

Many Pies

Tuesday, October 30, 2012

Federated identity - using Twitter to log into your intranet at work

Following up on my previous post, here's some stuff to help you get your head around Federated Identity. (The wikipedia article I linked to in that post isn't that good. I wish I head a grasp of the concepts enough to improve it. The one on Identity Management needs even more work.) The video in this blog post Federated Identity 101 is a good start.

Some questions that people might ask have come to mind as I've started thinking about this stuff. Here's the first:

Why can't I use Twitter to log into my intranet at work?

There are a few things preventing this from being possible. Although using existing logins makes life easier for the user the people who provide the systems have justified concerns. (Jargon sidenote: authentication is checking you are who you say you are. Related is authorisation which is checking what you're allowed to do. A service provider is a system you are trying to use.)

So if I'm a service provider running the intranet and the users are asking to use their twitter account, here are my concerns:
  • I know that Fred Bloggs is an employee, but how do I know that @FredBloggs (who seems to be doing quite well making money at home) is the same person?
  • Even if I do verify that, how can I be sure that Fred Bloggs twitter password isn't easy to guess? If Twitter's password policy is weaker than our existing password policy, then it's like putting a big lock on the front door, and leaving a side window open. Judging by the number of people who have their Twitter accounts hacked, their password protection isn't that strong.
  • Even if Twitter's policies are good, then say they remove your account after 6 months of inactivity and someone else signs up with the same username. They the other FredBloggs can log into your intranet even though they aren't an employee.
These issues are all around the issue of identity assurance (apologies if you find italics patronising) and the last one in particular is identity lifecycle.

From time to time I think of this Dilbert cartoon when it comes to the latest Big New Thing, whether it be SOA, Cloud or Federated Identity.

So when your equivalent of the point haired boss comes up to you and says "I think we should build a Federated Identity system", you could ask him what colour he wants it, or ask him about identity assurance.

Edit: Here's the cartoon that Giddie mentioned below:

1 comment:

Anonymous said...

I'm also a little reminded of this, from just a week ago: