CloudEnterprise.info

Email address as the universal identity

Posted by: Dmitry Sotnikov on: August 17, 2009

identitiesIn the brave new world of enterprise applications going to the web do we need an identity directory spawning the internet, and if so, will email address system become the de-facto global identity system?

Global directories are obviously not new. There were efforts like X.500 and like, but then we kind of got scaled back to company-wide identities instead. So most of us just use a username (or DOMAIN\username) to log into our computer at work, and do not care that this is not globally unique at all. Sounds like the internet will make us care again.

Suppose you are designing a global enterprise SaaS application and you absolutely do not want to maintain user identities yourself (because this would obviously be a headache both to you and your customers).

Federation is the answer, right? So OK, you go out, pick the federation standard you like (for example, WS-*) and you should not care about user identities. Just redirect users to their actual identity providers – in enterprise world this will likely be Active Directory – and let users in once you hear back that the user is authenticated there. Ay, there’s the rub – you still need to know something about user to decide where to send the user to authenticate.

This problem is known as Realm Discovery – even in the federation world you still need to know where the user comes from. Here are a few options which I see:

Identity Selector on user computer

If all users on all computers had Windows CardSpace you could never prompt users for anything and just use those. However, the reality is that this technology has not taken off (yet?) so you cannot rely on it.

URL-based discovery

You could ask your customers to use custom URLs to access your site: e.g. CustomerA.MyWebService.com. In that case you know where the user comes from and can redirect to proper federation partner. If you can have all users go to this custom URL instead of generic MyWebService.com this might be a pretty good idea.

The problem is that you probably cannot. Your users will probably want to be able to log in from your generic site as well. Even worse, they might want to delegate tasks in their services to users from other companies – and in this case they will have to learn and supply the CustomerB URL as well when setting up this delegation – which becomes kind of messy.

Ask the user

If the user comes to your generic URL and wants to authenticate (or is authenticated and want to delegate rights to another user), what do you ask the user so you know where to redirect her for authentication?

Displaying a drop-down list with all your customers is probably not a good idea.

DOMAIN\username notation won’t work either – intranet domains are not globally unique.

I would argue that email address is probably the only usable solution here:

  • Email addresses and email domains are globally unique.
  • By this time, every user on this planet knows her email address and email addresses of whoever they would want to delegate rights to. And obviously despite spam we are all trained to supply our email addresses when prompted by a credible service we need.

Where does this lead us? Not only we probably need a global directory, we actually already have one. Long live email addresses. ;)

2 Responses to "Email address as the universal identity"

1 | Steve
August 17, 2009 at 5:22 pm

OpenID is already trying to do this as well. It provides more power over email addresses because you can associate certain information sharing rules with various sites and you can build you identity profile at a provider of your choice.

2 | Dmitry Sotnikov
August 17, 2009 at 7:01 pm

Steve,

OpenID is the underlying technology in a way similar to SAML/WS-*/etc. – not what you prompt users for. 99.99% of users when prompted for their OpenID will probably freak out and panic. :)

However, this does not mean you cannot mask OpenID to appear to be email addresses. For example, Google has recently made their Google Apps Premium an OpenID provider and their paying customers can indeed use their Google IDs (which they think is their email addresses!) to access other online services.

So if by OpenID you mean the underlying technology, than sure this might well be effective. If you mean just prompting users for OpenID and expecting them to type in some kind of URLs – I do not see this happening.

Dmitry

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

 Subscribe in a reader


Subscribe by email


Add to Technorati Favorites

RSS My company’s main blog

  • The Jelastic Spotlight May 25, 2012
    We are starting something new here on the blog for Fridays. Up until now, we were doing more light-hearted stuff but as we were sitting around talking about the different sweet apps that you, our customers, are deploying, we realized that we should be showcasing the apps and the developers! So, as of today, Fridays [...]
  • Remote Access to MySQL in Jelastic: Import/Export Dump Files in a Few Minutes May 24, 2012
    Recently, we told you about that another cool feature that you have access to in the commercial version of Jelastic, Public IPv4. With a single click you access to a number of cool new capabilities. One of the most important opportunity you get with this feature is the ability to work with your databases remotely and [...]
  • The Jelastic Newsletter – May 23, 2012 May 23, 2012
    Java 7 adoption, Commercial releases in Europe and Russia and Software stack market share. . . The Jelastic newsletter is a weekly round-up of news, how-to’s and contribution opportunities. Here’s what’s happening this week: Commercial Releases in Europe and Russia As we continue to grow and add partners, we are happy to say that, as of yes […]
  • We are now available commercially in Europe! May 22, 2012
    In partnership with dogado, we are now available commercially in Germany The last few weeks have been hectic here at Jelastic! We launched commercially in the US with ServInt; then we did the same in Russian with Rusonyx; and now we have launched commercially in Europe with Germany. Now in Europe Our commercial release with [...]
  • Software stacks market share: May 2012 May 21, 2012
    Every month we share stats on the usage and popularity of different software stacks within Jelastic PaaS with you. This month it’s even more interesting, because the scope of our stats has grown: we have a new hosting partner in Russia, Rusonyx. So, let’s check out the stats on databases, servers and JVMs for May and analyze the differences betwe […]
  • Geek Project of the Day May 18, 2012
    Just in time for the weekend. Here is your geek project of the day. Because sometimes, a regular grill is not enough. We want one. Going to “borrow” a friend’s car and turn it into a grill.
  • Jelastic announces the commercial availability of its Java cloud hosting platform with Rusonyx May 17, 2012
    Rusonyx’s Jelastic offering provides Cloud Java hosting with no lock-in or code changes required PALO ALTO, Ca. – Jelastic, the world’s first standards-based Platform-as-a-Service, today announced its commercial availability in Russia through its partner, Rusonyx, one of Russia’s leading web hosting service providers. Rusonyx is the exclusive provider […]

My Recent Tweets

Blogroll

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer Jelastic or anyone else for that matter. All trademarks acknowledged.

© 2008-2012 Dmitry Sotnikov

Blog at WordPress.com.

Theme: Albeo by Design Disease.

Follow

Get every new post delivered to your Inbox.