BG10 handout

From OSIS Open Source Identity Systems
Jump to: navigation, search

Executive Introduction

Identity is fundamental for business; regardless of sector and size, every organization grapples with problems of identifying and authorizing everyone with whom the enterprise has a relationship. It’s 2010 and enterprises have new choices when it comes to working with the identities of their partners, citizens, suppliers, and customers – choices that can reduce the cost of these relationship while increasing trust and creating new business opportunities. To support the scale and complexities of these choices, the breadth and depth of technology providers’ collaboration has expanded. In this event, members of the OpenID Foundation, the Information Card Foundation, the Open Identity Exchange, Kantara Initiative and Identity Commons will demonstrate enterprise uses of open identity as a business-enabler. This interop will showcase:

  • Practical applications of the work of the US Identity, Credential and Access Management (ICAM) Subcommittee, National
  • Institutes of Health, and their partners
  • Examples of using OpenID, Information Card, and SAML identities at different levels of assurance across multiple sites
  • Illustrations of how open identity is moving to mobile devices and enabling new types of mobile apps
  • New browser-based apps that use identity services to automate cross-site user experiences.

The Interop Scenario


The Burton Group 2010 Open Identity for Business Interop focuses on how Open Identity generates business value. It demonstrates how various members of the Open Identity ecosystem can work together to provide value as part of an open identity ecosystem. Since this is a business interop it is structured around usage stories rather than technology protocols. There is a core story about the use of Open Identity in healthcare, with off ramps where participating organizations can demonstrate the unique value that they bring to the scenario and where technology enablers can demonstrate additional capabilities. This networked design of the interop also demonstrates the core strength of Open Identities which come in multiple levels of assurance (LOA’s) and protocols (OpenID, IMI Information cards and SAML) and can be used by a variety of organizations to provide secure, reusable, privacy protecting access.


Since the last Burton Group Interop, the US Federal Identity Credentialing and Access Management (FICAM) has developed standards for the use of open identity protocols. Multiple organizations (OIX, Kantara Initiative and InCommon) have stepped forward to certify identity providers to trust framework standards also established by FICAM. The National Institutes of Health (NIH) has led the way in the adoption of open identity. NIH’s PubMed site has gone live with accepting third party open identities that have been certified to meet these standards. This has required the coordinated contributions of multiple government agencies, identity providers, technology providers, certifying organizations and interop hosts. The healthcare industry effects everyone and every business. In the future, more and more health related services will be available on line. These services include not just brochureware, but also processes where the users must be authenticated and their privacy protected. More and more, these services will be accessed using portable, open identity credentials that can be used for multiple services. As in the physical world, these credentials will have varying levels of assurance (or LOA’s). Some services can be accessed anonymously; others require higher levels of authentication. By leveraging user-driven, privacy enhancing technologies, both Identity Providers (IdPs) and Relying Parties (RPs, i.e systems that accept these identity credentials) can provide enhanced services and ease of use. This interop demonstrates how Open Identity credentials can be used in a series of heath related interactions.

  1. A mother notices and odd rash on her child’s arm.
  2. She searches for information on the internet and that leads to a series of abstracts on PubMed. This is the base case of using a website without any authentication.
  3. Out of concern – she logs into the PubMed system with a portable identity credential (a variety of OpenID and SAML credentials are currently accepted in the PubMed production system with Information Card support soon to come. PubMed relies on NIH’s iTrust system to accept and validate these credentials. iTrust in turn leverages CA’s SiteMinder product) – she saves a profile and list for later review and has a copy of the info sent to her email automatically provided on login. These portable OpenID and SAML credentials have been certified by the Open Identity Exchange or issued by members of the InCommon Federation. NIH’s iTrust service makes it easy for government websites to accept Open Identity credentials. So in summary,
    1. She presents her LOA-1 credential from an IdP that is certified by a trust framework to the GSA profile.
    2. An RP that is an LOA-1 web site for medical information accepts credential and provides access.
  4. Now she is a bit panicked.
  5. She then goes to the pediatrician’s website, logs onto their scheduling system with her trust framework blessed credential to request an online consultation visit.
    1. Several of the participants in the interop are demonstrating not only how their software and services can support LOA-1 interactions but also how they support interactions at higher levels of assurance such as the LOA-2 that might be used by to for a patient or healthcare proxy to login to a health care service system to provide sensitive information.
    2. The application then asks for some sensitive information – so she is prompted to enter an OTP to up the assurance level of the credential used.
    3. She updates the info – confirms the appointment and logs off.
    4. Based on the information provided, past history and other information provided at the time – the diagnosis is childhood eczema.
  6. The physician logs into a physician portal using an LOA-3 credential to record diagnosis and authorize prescription.
    1. Some of the participants in the interop also support the LOA-3 required for a physician to authorize a prescription. Both the SAML and IMI Information Card protocols can support higher LOAs, and the GSA has developed higher LOA profiles for both protocols.


The open identity ecosystem has evolved to the point where:

  • There is a choice of protocols available based on open standards.
  • The US federal government has developed profiles of these standards for use at varying levels of assurance.
  • Numerous technology vendors have incorporated support for these standards into their products both for creating and accepting credentials based on these standards.
  • There is an organization conducting interops to ensure interoperability.
  • Organizations (Identity Providers) are issuing identity credentials that meet these standards.
  • The US Federal government has defined a trust framework for certifying that these identity providers meet their standards,
  • The US Federal government is authorizing certifying bodies to certify that identify providers meet these standards.
  • Identity providers have been certified and are being used in production

So we are now in a position where the technology and organizations are in place so that governments and businesses can leverage trusted portable identity credentials, without having to bear the entire burden of issuing and maintaining these credentials themselves.

Paragraph on each participant and what open identity means to them

(This content will be publicized on Ian's blog. Note place holders were taken from the participant list.)