No all-encompassing IdP in near future

* Catalyst conference panelists conclude that no identity provider today can address the issue of having employees all over the world

I didn't make it to The Burton Group/Gartner's Catalyst conference in Prague this year, but I have heard from folks who did get there.

<aside> Catalyst US is coming up in just a couple of weeks, July 26-30 in San Diego. Sadly, I won't be there, either. </aside>

Nordic Edge CTO Jesper Thomo was at Catalyst-Prague and let me have his impressions to pass on to you. In passing, he noted that there's still much confusion between Authentication (authN) and Authorization (authZ). I doubt we'll ever solve that problem.

Jesper was on a panel discussing "Where does the identity come from". He says that the panelists "…talked a bit about the initiatives that we'd seen in some EU countries and also the work from ENISA [the European Network and Information Security Agency]. One of the customers during the discussion asked: 'I have employees from all over the world. What IdP can help me with all my identities?'"

Jesper and the other panelists concluded that there is no IdP that can solve that problem today. Thomo added "Then I started to think about the future -- will there ever be one worldwide IdP that everyone can use? Probably not, at least not in the near future. There is just too much trust, relationship, liability and standards needed to get to that scenario."

Later, he was involved in numerous discussions about "how the social private identity is merging more and more with the employee identity." What I might call "user-centric" identity and "corporate" identity (a subject that's come up here before). That's when Jesper's light bulb lit up.

"So, it struck me," he said, "what if we would get a couple of big 'non-trusted' IdPs, like Google, Amazon, Salesforce, Yahoo, etc.?" (by 'non-trusted', he meant that the identity is not a trusted identity (like an identity you get from a bank or the government), since you can add any information you want when you register at the site for their applications.)

Thomo continued: "Then when the person start to work for a company, the trust will be between the employer and the user, by mapping the user's private identity to the company identity. So, the user will then be able to use the IdP (Google et al) to authenticate when accessing his employer's company information. An authorization service, either internal or external, can be used to verify if the user should have access to the application or resource."

A very interesting concept. I do see some security issues (scammers setting up their own companies to verify their own ID), but that could be easily overcome with verefication services. As always, your thoughts are appreciated.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)