Posted 3:12 PM (0) comments

The Diamond Framework

Paul Trevithick has done us all a great service: he's provided a matrix of terms from the major authentication/identity systems making up what's loosely called "user-centric" identity and equated the varying terms (each identified with a letter) to facilitate conversations about the varying protocols, systems and technologies. A wonderful effort coming, as it does, on the opening day of the spring Internet Identity Workshop.

Would that, in this best of all possible worlds, the various evangelists for these systems could adopt Paul's terminology.

Labels: Oauth, openid, SAML, user centric, VRM

Posted 2:31 PM (0) comments

Self-service de-provisioning

The always intriguing Pam Dingle has come up with what I believe is an entirely new feature for IdM systems - self-service deprovisioning!

In a typical self-service system, a user's accounts, authorizations, applications, etc. are pre-configured and are installed/activated the first time the user signs in. But in a post called Federated De-provisioning, Pamela extends this capability of self-service to the de-provisioning event. She describes it as:

"There is no reason why an authority could not return a set of claims at the time a terminated user attempts to authenticate to the Relying Party that says (a) do not authenticate, and (b) de-provision immediately. If the authority is set up to do so, the Relying Party is home free! The urgent use case has been taken care of (ie abuse), and the non-urgent cases can be dealt with at leisure, because the associated risk is dealt with. Who cares if it takes a month to actually delete the account, if you can guarantee that should the terminated user attempt to access the resource during that time, a real-time status check will occur and the termination will be discovered?"

Brilliant!

Let's see who's first to market with this...

Labels: federation, provisioning, SAML