OpneID is the Federating Identity
Nov 29th, 2007 by Aswath
In today’s post “Phoneboy” talks about the need for a federated identity in the context of Jangl. He frames the context by describing the need for correlating his identity in Facebook that Jangl recognizes with his native Jangl identity. Even though Jangl is willing to do this correlation, he observes that it has taken a bit longer than he would have liked. He then extrapolates the difficulty one would have if it involves more than one company. By explicitly identifying me, he considers the role of OpenID. Of course if the involved sites use OpenID as the authentication mechanism and the user uses the same OpenID in these sites, the problem is moot. But he recognizes the possibility that for a user to use different OpenIDs in these sites. This brings up an important feature that must be implemented by a site that accepts OpenID for authentication.
Since the OpenID provider is an external entity, a failure at that provider will lock the user out of the service provided by the relying party. This is not an acceptable situation. So, any site that supports OpenID for authentication must allow for the users to associate multiple OpenIDs with a single account. This should be one of the best current practices. Once this becomes a standard operating procedure, then OpenID will meet Phoneboy’s needs while addressing his concern. (EnThinnai does not do this currently and we recognize that. It is in our roadmap to add the capability to allow multiple OpenIDs with a single account.)
By the way, I wish the OpenID community deemphasizes the single-sign-on aspect of OpenID. The real benefit of OpenID is that with it we can separate the Identity provider with the service provider. One can derivatively use a single identity at multiple places, but this should not be the primary benefit.
You took my specific concern a step further and raised a point I hadn’t considered: what if your OpenID provider goes down?
I was more concerned with the fact that I don’t necessarily want to link ALL identities together, only the ones that make sense. One does need additional accounts for testing/”stealth” purposes. 😉
As I remarked in the post, one may use multiple identities to maintain different persona, for example. That is why the relying parties must allow linking of multiple OpenIDs. The promise of OpenID is not a single identity, but an open authentication protocol between a user, the IP provider and the Relying party.