Tue

May 8
2007

Brady Forrest

Brady Forrest

Sun Supports OpenID: Steps Towards Enterprise?

Sun has let it be known that they are going to start supporting OpenID, the increasingly popular, distributed identity solution. However, they aren't making a consumer offering (just yet), it's only for their employees. As Tim Bray puts it:

What’s more interesting is that we’re rolling out an OpenID provider, but with a twist: You can’t get an OpenID there unless you’re a Sun employee, and if someone offers an OpenID whose URI is there, and it authenticates, you can be really sure that they’re a Sun employee. It doesn’t tell you their name or address or anything else; that’s up to the individual to provide (or not). The authentication relies on our Access Manager product, and it’s pretty strong; employees here have to use those crypto-magic SecureCard token generators for serious authentication, passwords aren’t good enough.

As Tim reveals they are also using it as a test case for some of their software:

The technology is pretty interesting too. Our Access Manager product is a big, mature, enterprise-scale offering, but that group really hadn’t imagined an application like this, so there was quite a bit of engineering involved in getting it to talk OpenID to the Web at large. But it works now, and I’m hoping one of the developers will blog the details. It’ll be open source, of course.

More info can be found at on Sun's developer site.

A lot of companies have started supporting OpenID one way or another (Radar post -- Microsoft supports it in Vista, Yahoo's Authentication APIs can be made to support OpenID, and AOL will be an OpenID provider). However, Sun is the only one to make it more of an employee tool instead of a consumer one.

Phil Windley has a thoughtful post on whether or not it is sensible for an OpenID provider to encode information like your employer. In this case, I think that it makes a lot of sense; it's designed for use as an employee. It certainly would be handy for using externally hosted enterprise apps (like Basecamp for instance). I would never use an employer provided OpenID for anything other than official business; it would be like using your ISP-provided email address.

Sun has long history with digital identity. They were one of the founders of the Liberty Alliance, an early standards body that focused on digital identity (Wikipedia article). It's identity standard SAML has made great strides in the enterprise. I wonder if this move will be the beginning of OpenID going behind the firewall.

(thanks for the tip, David)


tags: web 2.0  | comments: 5   | Sphere It
submit:

 
Previous  |  Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/5471

Comments: 5

  Eric Norlin [05.08.07 05:04 AM]

Okay - i know i'm nitpicking ;-), but some of the nuances of the details you provide are off (for instance, SAML is not a liberty standard).....here's my recent "brief history" of identity protocols:

http://blogs.csoonline.com/a_brief_history_of_identity_protocols

  Greg [05.08.07 06:14 AM]

I think Universities have something like this where you can be authenticated to one and access restricted resources at participating Universities. I think it's called pubcookie (http://www.pubcookie.org/)

  Eve M. [05.08.07 10:14 AM]

Brady-- thanks for your interest. You picked up on some aspects I haven't seen others discussing yet. For what it's worth, I've taken the next step in explaining Sun's thinking on the "this guy is a Sun employee" aspect here:

http://www.xmlgrrl.com/blog/archives/2007/05/08/a-tincture-of-trust/

We'll add a lot more thoughts to the mix as we go.

Greg-- pubcookie is, I believe, a classic technology where cookies can be successfully used for single sign-on within a single domain. SAML (and its relatives Liberty ID-FF and Shibboleth) specializes more in inter-domain SSO.

Eric-- I enjoyed your "brief history" very much! Though it seems a little unfair to correct Brady (especially on a point that's sort of debatable) and then point to your post as a dispositive source of information. :-)

  rektide [05.09.07 11:37 AM]

eric, i dont think Tim claimed what you think he claimed,
"They were one of the founders of the Liberty Alliance, an early standards body that focused on digital identity (Wikipedia article). It's identity standard SAML has made great strides in the enterprise. "

I think "It's" here is referring to Sun, not Liberty Alliance, in which case we can just pick bones about the fact that there were plenty of other people involved with the SAML standard. I could be wrong, but that was my initial and current interpretation.

Which btw, is definitely my favorite identity standard. Especially since SAML 2.0 subsumed a lot of Liberty Alliance functionality. I was never really on about all the specific bindings (a huge part of Liberty Alliance), so just importing some of the useful core data structs from liberty made me all warm and fuzzy.

  SEO [07.23.07 01:44 AM]

My main concern is that you can't guarantee every page of your website will be included in the SERPs. Considering I'm constantly adding new products to my company's website, I need to be sure that customers can find them as soon as possible.http://www.seoptimizerz.com

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.