Trading in trust

Tuesday, May 15, 2007

I can't sleep. This evening at work, I was discussing my growing stable of applications with a need for user authentication, and how these databases may use different forms of id check (password, fingerprint, etc), need to be geographically separated and in the control of different groups, and yet sync with each other because the same person is listed across them and would very much like single sign-on and other such pizzaz. It's a problem none of us saw coming.

The easy solution? Define a master database structure that has fields for all the possible identity mechanisms and another table mapping from this master to app db specific login names. Everyone syncs with this master.

So easy to screw oneself there, assuming partners whose apps are deployed with ours will not mind having their user accounts also thrown into the soup bowl.

I'm exploring OpenID. It does a brilliant job of decentralised identity verification, but I've realised my problem is two-fold. I need to verify identity, and I need to know their trust level across the system, without re-specifying it for each id within each app's db. OpenID doesn't trade in trust. I run just two production trust databases at the moment (in ZODB and PostgreSQL) with a third coming up (SQL Server), and syncing between them is bad enough.

What do I do with tens of apps supporting tens of thousands of users? (Thankfully not millions, but thanklessly no more than a few hundred per each trust category.)

If you're the kind to be sleepless at night considering similar problems, I'd very much like to be working with you.

ext_2586 — May 15, 2007 5:05:23 AM — # ↩

had used it when it was introduced. Apart from the problems they mention about spam, no trust, etc.. I also thought it was weak in privacy. Anyone could know from where you authenticate by looking at your openID URL source(not sure if that has changed). But yes, great idea.
karmakurma — May 15, 2007 7:49:35 AM — # ↩

Have you looked at SAML or XACML?
- Kiran Jonnalagadda — May 15, 2007 8:09:12 AM — # ↩
  
  Thank you, thank you, thank you! So much goodness there (and hopefully, not too much weight).
  - a5hok — May 15, 2007 12:37:44 PM — # ↩
    
    interestingly, we are planning to use plone with eXist (an XML db)with openID for authentication and XACML for trust (eXist uses XACML for Xquery ACL...)...essentially plone pushes xml documents to eXist, and eXist is queried for the xml...
- appaji — May 15, 2007 5:44:34 PM — # ↩
  
  Second that. Google Apps provides SAML based single sign-on.
Anonymous — May 15, 2007 11:17:33 AM — # ↩

Trading in trust -- federation
What you need is identity federation.
Look at http://en.wikipedia.org/wiki/Federated_identity
Anonymous — May 15, 2007 11:18:46 AM — # ↩

Trading in trust -- federation
What you need is identity federation.
Look at http://en.wikipedia.org/wiki/Federated_identity

Regards

Kanti
Anonymous — May 15, 2007 1:09:50 PM — # ↩

Alternative solutions.
You may want to check out Atlassian's Crowd server (http://www.atlassian.com/Crowd). The server supports LDAP and other custom authentication systems you may already have. They are also building in support for OpenID with the next release.
- Kiran Jonnalagadda — May 15, 2007 1:19:34 PM — # ↩
  
  Re: Alternative solutions.
  Interesting, but the product's not open source and the pricing is way beyond what I can justify. I don't mind closed source components as long as they're components with clear inputs and outputs that I can replace wholesale should it ever come to that, but a user database server is too fundamental to not have total control over.
ext_41405 — May 17, 2007 4:01:37 PM — # ↩

I have been using
Open id to (my blog url) login to few places. Its working well.
Anonymous — May 17, 2007 10:49:19 PM — # ↩

Doing something smiliar with millions of records in the healthcare system out here and just within 2 states! It's driving all of us nuts with the space and a whole bunch o issues I can't obviously say here.

I know, no help of course, but had to throw in my rant as well :)

Rads
karmakurma — May 18, 2007 2:41:30 AM — # ↩

btw, this makes for some great reading on the topic of online reputation: http://www.windley.com/docs/2006/www2007paper.pdf
Anonymous — Jun 2, 2007 1:21:25 PM — # ↩

Meta-directory implementation.
Meta-directory could be an option worth exploring.

Have used CriticalPath's meta-directory which is a commercial product and it works beautifully in a highly user intensive environment (nih.gov uses it) with many hetrogeneous authenication systems.

OpenLDAP Server implemented as meta-directory could meet your needs.

~Anthony