Recurring theme lately around the office – When are we going to start using InfoCards and Cardspace internally? In fact, I was fortunate enough to be part of a conversation recently with several of the smart guys in the MSIT Security team, and although we didn’t come up with anything hard or fast – Here is where I’ll give you “my take” on when we’re going to use InfoCards and Cardspace internally.
Important Disclaimer – Discussions are great for helping you articulate your thoughts, but all opinions in this blog are my own. Also important to note, that most of the InfoCard and CardSpace discussions are around solving the consumer identity problem. This is a huge problem to be sure, but I’m an enterprise IT guy – so it’s not the problem which I’m focused on every day. I care about my enterprise identity management issues.
First – a bit of terminology clarification:
CardSpace – This is the identity selector. It’s included in Windows Vista, and available for Windows XP, but in short, it’s the “secure desktop” (you know, the bright colorful part of your screen when everything else goes greyish/black)…..(no, not a crash! smart alex, those are blue!)…. The purpose of CardSpace though, is only to allow you to select InfoCards.
InfoCards – These are the things you select in CardSpace (Ha! Bet you didn’t see THAT coming!). Each InfoCard represents some set of bits of information about you that you want to submit to a website. There are a couple of flavors, self issued, and managed InfoCards.
Self-Issued – Pop open a browser, and see how the Windows Live, Yahoo, and Google toolbars (I’m sure some of you have all 3 installed) have the “Auto Fill” button? Yeah, that’s pretty much the idea behind a self-issued card. Of course there’s some more, combined with identity selector you get some anti-phishing help, so you don’t accidentally auto-fill your paypal user name and password into the paypa1.com website, but conceptually, it’s auto-fill + anti-phishing. These cards could be useful as replacement for the Post-It notes below your keyboard, which have username and passwords written on them for all the websites you frequent.
Managed – These are cards are actually issued by a server (as opposed to being self-generated), and are more likely to be used to pass information which is stored in a centralized identity store, and vouched for (ie. signed), by that store. Think for a moment, an application which only trusts information about your user account which came from Active Directory. A token server could issue you a managed card, which corresponds to your AD account, and whenever you access the application and select the card, then the requested attributes from AD are read and placed into the token.
So if the question is really, when are we going to use InfoCards and CardSpace internally at Microsoft, I think there’s a good chance to say that we wouldn’t. Now, this doesn’t mean that we won’t, just that the problem which they solve is actually a symptom of a larger problem, which has solutions – albeit, more complex ones.
Let’s take a look at the scenario’s in which these technologies would provide a good value to our business:
Single Sign-on (Internal) - The purpose of an identity selector, is to select an identity. Ok. Probably could have been named a bit more descriptively, but we’ll go with it. How many identities do you have in an enterprise? Well, ideally, you want to have one – and that one would allow you to access everything that you need. Ok sure, but we all know that isn’t how most enterprises work, instead they have many systems, each one with it’s own identity store. Well, as I’ve said before, if you have an identity store, you immediately get a provisioning problem. So there are actually 2 ways to solve this problem then – First, you can make it very easy for users to manage their 21 user names and passwords (or whatever it is), and provide them a pretty UI for swapping into and out of applications. CardSpace fits this bill nicely. It’s not really SSO, because I count having to select a card as a “sign-on”, but it’s definitely “easier sign-on”, that’s for sure.
Single Sign-on (External) – Isn’t this what federation is all about? Well, sort of, but the fact is that there are a lot of partners which we can’t federate with. However, if they were to issue managed InfoCards, or even allow our users to register self-issued InfoCards as their authentication mechanism, then it would help relieve the Post-It note under the keyboard problem. Still though, this means that your partners are going to need to maintain their own identity stores. InfoCards will help ease the user pain, but the businesses (and IT guys – like me) still have to deal with the provisioning problems, data consistency issues, and security concerns of allowing a partner to have all of this information. The better solution would be to federate with our partners, to allow our users to access with their corporate credentials, no UI prompt, “it just worked”.
Role Transitions – Internally, this is something which we have only started to think through, so I’ll describe what we’re thinking – and leave the question of whether or not it’s worth it for later: If you’re an administrator of an enterprise application, then there is also a reasonable possibility that you are a user of that application as well. If this is the case, then is there a need/desire, for you to sometimes access the application as a user, and sometimes as an administrator? Usually, the way that you see this, is that an administrator has the same menu options as a user, plus additional ones. Is there any reason why this is bad? To have the administrator role separated from the user role, would be much easier in a CardSpace world because transitioning from user to administrator and back could be done much easier. But that seems like a lot of work, and it’s never been a requirement to date (at least not for application admins).
There may even be more places where InfoCards and CardSpace can fit into an enterprise. These are the ones which I have come up with so far. The pattern which seems to be showing though, is that if you can’t fix your “big” identity management problems, then you can use InfoCards to ease the user experience of them.