Oblix’ circle of trust

Identity federation is usually explained by an example that typically begins: “An airline, a hotel chain, a car rental company and a credit card company walked into a bar…” No, that’s not right, the story is that the four companies form a “circle of trust” and provide authorization tokens to shared customers so that the user only has to logon once and can then access all of the organizations in the circle by background authenticating.

Certainly, you’d expect that scenario from the Liberty Alliance since most of its founding members were in the business-to-consumer sector. But it’s turning out that this isn’t the only scenario and, at least among early adopters, it’s not even the dominant scenario.

Oblix, in releasing its SHAREid product presents a different example (https://www.oblix.com/products/shareid/):

“Consider two companies, Acme Inc., a computer manufacturer, and Beta Corp., a national distributor of Acme’s computers. Acme has several inventory and production applications within its portal, and it wants the employees of Beta Corp to access these applications, so that Beta can operate more efficiently.

Without SHAREid, Acme must manage the credentials, profiles, and logins of each Beta employee that accesses Acme’s applications. If a Beta employee quits or is fired and Acme isn’t told, that ex-employee will continue to have access to Acme’s applications. In contrast, with SHAREid, Beta’s ex-users are automatically locked out of Acme’s systems as soon as these users leave Beta Corp.”

A lot of people I present the “circle of trust” example to find that they really don’t need this service. Their browser, toolbar, operating system or third party application already store their identity information and present it as needed to Web sites they visit as customers. Many, in fact, find this to be similar to the almost unanimously castigated “Hailstorm” initiative that Microsoft proposed some years ago (https://www.nwfusion.com/newsletters/dir/2002/01318605.html).

It’s not similar either technically or from a security or privacy perspective but it does have a superficial resemblance so there’s a lot of customer resistance to overcome. The Oblix scenario, though, makes a lot of sense, especially from a security perspective. You can save money by letting all of your partners handle user management and authentication for their own users while you need only take care of authorizations. Those authorizations can be role-based rather than individualized, saving even more money. In addition, you get increased security. Not a bad deal, I think. As an added bonus, Oblix’ SHAREid server will work with any LDAP-enabled directory, no need to add a new datastore to your network. These days that’s not an insignificant consideration. There are others with similar solutions (and I’m sure to hear about them this week!), but look at the Oblix product first.