United States-English
» Home - Tab
Blogs - Tab - Selected

Research on Identity Management (by Marco Casassa Mont)

To Be or Not To Be an Identity Provider?

Published 12 September 2007, 09:21 PM

Yesterday, in a post of mine called “What is the Business Case for Identity Providers?”, I was wondering what would be the incentive for an organization to be an “Identity Provider”(IdP) and, in particular one that just plays this role i.e. with no additional stake in providing other services

Of course there is no constraint for being both an IdP and also a Service Provider (SP). Actually this is the most likely case to happen – in my view. I would not be surprised if Federated Identity Management will consolidate and happen for cases based on a dominant organization/service provider and other subordinated service providers, where the dominant organization plays both the IdP and SP roles and use federation to simplify the life of its customers, in a well controlled environment. This is already happening in telecom and outsourcing contexts …

In theory, being just an IdP would be the ideal case, with a clear “separation of duty” between who manage identities (on behalf of users) and who “consumes” them. But, in practice, does this make any sense? Here are some initial thoughts:

  • Would the Identity Provider have to charge users to store their personal data and enable their SSO across various Service Providers? Not sure if users are really willing to pay for this kind of service …

  • Would the Identity Provider have to charge Service Providers, let’s say on transactional basis? But would Service Providers (1) be willing to give up the control that currently have on personal data and (2) have also to pay for it?

  • Would the Identity Provider make a living based on advertisement? Maybe, but then the temptation to use stored personal data for providing better, customised advertising to users or for potentially other purposes would be too strong. Would users be happy about this?

  • Would the Identity Provider be the user itself? If so, what would be the practical implications?

I think this is an important aspect to understand - independently from various approaches, standards and technologies that are emerging (and competing) in this space – in particular for its implications on trust, privacy and assurance matters.

--- NOTE: use this mirror blog to post anonymous (un-authenticated) comments ---

Posted By marcocasassamont | 2 Comments | Trackbacks | Permalink


Comments

There is money to be made as an identity provider. The model is to make identity providers not keep identity information:) How can this happen? Well you provide a service where the identity information is kept elsewhere and you provide links to this information. Anyone wishing to find out more please contact me because we are building such a system and we would like to federate with other identity providers. If we do this then we all benefit because the network becomes larger and value is a function of the size of the network. That is, the identities we look after become more valuable if those identities have access to other companies through other identity providers.
# Thursday, September 13, 2007 11:34 PM by cscoxk

Thanks for your post and input.

Could you please elaborate more on how you think this is going to succeed? You are basically talking about an "identity broker", aren't you?

Where is the actual identity going to be stored? Who is storing it (is this the data subject)? How would this simplify things if an additional level of redirection is required? What about security, privacy and assurance matters?

If you have a public web site and/or public documents about your work, feel free to share it with this community. Thanks.

Marco

# Friday, September 14, 2007 07:56 AM by Marco Casassa Mont

Leave a Comment

(required)  
(optional)
(required)  


Type the digits above:
Submit »
Information disclosed in this community becomes public. Exercise caution when deciding to disclose your personal information. HP reserves the right, but is not obligated to, edit or remove your comment if it contains personally identifiable information or other content HP deems unacceptable.  Opinions expressed are your personal opinions or those of the original authors, and not of HP. Please see HP's web Terms of Use for more details.