BPuhl’s Blog

A little bit of everything without actually being much of anything

More Cardspace in the Enterprise

Posted by BPuhl on March 15, 2008

So it’s been brought to my attention, that there is a very important distinction which I should probably make about my views of Cardspace in the enterprise.  That distinction is the difference between Cardspace as a user interface – and Cardspace as the underlying infrastructure for performing claims based authentication.

The basic reason why I’m hesitant about Cardspace in the enteprise, is actually because I LOVE the idea of having my users perform claims based authentication and authorization…but I can’t fathom the idea that people are going to keep getting these UI pop-ups and having to pick the same card over and over again throughout the day as they are trying to do their job.  Even having to click it once or twice per day is too much in my opinion.

Since we already know that Cardspace will show you all cards which meet the criteria, as an enterprise administrator, I’d like to say that if there is only a single card which meets the relying parties criteria – THEN USE IT!  Don’t pop the UI, just go ahead and send the card, and have fun with that!

Yes, I realize that this violates numerous basic principles of user centric identity, however those principles that it violates are based on the idea that the person owns the digital identity.  In a company, the enterprise owns the identities, and issues them to individuals for use on behalf of the enterprise.  So we don’t really need (or in many cases want) the “transparency” or to provide the ability for a user to decline to send claims info, because that would distract them from the primary mission that we’ve issued the identity for to begin with – to do their jobs.  It’s not as though an HR analyst would make the decision, “You know, I don’t think I want this application to know my employee ID number, so I’m going to decline to authenticate to it.”  Ok, then what are you going to do, since accessing the application is a core part of your job, and the enterprise had determined (meaning, the app dev’s, security, IT, etc…) that the data was needed?

So don’t get me wrong, I love “claims based authentication and authorization”, and I firmly believe that Cardspace and Infocards have a HUGE value in the consumer space, anti-phishing, etc…  But I would love to see either more granular policies available to administrators over the user interface, so that we could use the cardspace plumbing while intelligently presenting the UI only when it was necessary.


2 Responses to “More Cardspace in the Enterprise”

  1. I agree that the user doesn’t need to see the UI every time, either in the enterprise or not. Which is why the Eclipse Higgins project has added a setting for “always use this card at this site” on the Higgins Browser Extension for Firefox. Once set, on subsequent visits to the same site, the saved i-card is sent automatically, yielding zero-click login. See Higgins Demo Instructions to check it out.

  2. BPuhl said

    Actually Tom – As an enterprise administrator, owning the IdP, I don’t believe that my users need to see the UI at all. 1+0 is not Zero-click login.

    I envision an claims-based authorization solution in the enteprise, which yields the same user experience that integrated authentication provides today.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: