July 10, 2010
Using Consumer Identities for Business Interactions

Medtronic, PayPal, Southworks, and Microsoft recently worked together to demonstrate the ability for people to use their PayPal identities for participating in a Medtronic medical device trial, rather than having to create yet another username and password. Furthermore, the demo showed the use of verified claims, where the name, address, birth date, and gender claims provided by PayPal are relied upon by Medtronic and its partners as being sufficiently authoritative to sign people up for the trial and ship them the equipment. I showed this to many of you at the most recent Internet Identity Workshop.

From a technology point of view, this was a multi-protocol federation using OpenID and WS-Federation – OpenID for the PayPal identities and WS-Federation between Medtronic and two relying parties (one for ordering the equipment and one for anonymously recording opinions about the trial). It was also multi-platform, with the Medtronic STS running on Windows and using the Windows Identity Foundation (WIF) and DotNetOpenAuth, the equipment ordering site running on Linux and using simpleSAMLphp, and the opinions site running on Windows and also using WIF. A diagram of the scenario flows is as follows:

Identity Mash-Up Diagram

We called the demo an “identity mash-up” because Medtronic constructed a identity for the user containing both claims that came from the original PayPal identity and claims it added (“mashed-up”) to form a new, composite identity. And yet, access to this new identity was always through the PayPal identity. You can read more about the demo on the Interoperability @ Microsoft blog, including viewing a video of the demo. Southworks also made the documentation and code for the multi-protocol STS available.

I’ll close by thanking the teams at PayPal, Medtronic, and Southworks for coming together to produce this demo. They were all enthusiastic about using consumer identities for Medtronic’s business scenario and pitched in together to quickly make it happen.


Update: Also see related posts by Kim Cameron and Matias Woloski.

4 Responses to “Using Consumer Identities for Business Interactions”

  1. IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer on 10 Jul 2010 at 12:13 pm #

    [...] Jones at writes about an “identity mashup” that drives home a really important lesson:  the organizational [...]

  2. IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer on 12 Jul 2010 at 6:12 pm #

    [...] Fast forward to May this year, I’m happy to disclose the proof of concept we did with the Microsoft Federated Identity Interop group (represented by Mike Jones), Medtronic and PayPal. The official post from the Interoperability blog includes a video about it and Mike also did a great write up… [...]

  3. Consumer Identities for Business transactions - Windows Azure Blog on 20 Jul 2011 at 2:18 am #

    [...] The official post from the Interoperability blog includes a video about it and Mike also did a great write up. I like how Kim Cameron summarized the challenges and lessons learnt of this PoC: The change agent [...]

  4. Consumer Identities for Business transactions - Windows Azure Blog on 20 Jul 2011 at 2:18 am #

    [...] The official post from the Interoperability blog includes a video about it and Mike also did a great write up. I like how Kim Cameron summarized the challenges and lessons learnt of this PoC: The change agent [...]

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.