Andy Dale recently made a great post titled “Adopting Evolution†in which he asked the question:
Why has OpenID grabbed so much popularity while SAML, a much more mature, academically respected, ‘robust’ specification has been largely ignored by the cutting edge web 2.0 community?
I’ll encourage you to read his post for his insightful answer.
His question reminded me of another answer to the same question that I gave during the recent Concordia meeting at DIDW: OpenID solves the “Home Realm Discovery†problem that all Federation protocols face; that is, figuring out where the person’s authentication information should come from.
There’s lots of ways this problem can be solved, many of which involve potential identity providers being pre-configured by system administrators as possible choices for specific services. Some systems have even dictated the use of a particular identity provider. OpenID’s solution to this is elegant in its simplicity: Let the user decide. When I type in an OpenID URL such as https://mbj.signon.com/ I’m telling the relying party where my identity provider for this interaction is – thus solving the “Home Realm Discovery†problem. As elegant as this is, of course, the potential downside of this solution is that it assumes that people will remember their OpenID identifiers and will faithfully type them in when a page prompts them for an OpenID.
OpenID 2.0 actually allows i-names such as =mbj or =Mike.Jones to be used as OpenIDs as well. I-names then use their own lookup protocol to discover the identity provider behind the i-name typed. This is arguably better (and is the kind of OpenID I personally use), but still relies on the user to reliably enter their OpenID identifier when prompted.
In this discussion at Concordia, others pointed out that using an Identity Selector (such as DigitalMe or CardSpace) is another means of solving the problem. Like OpenID, it also lets the user decide, but in this case, by clicking on a visual Information Card, rather than typing in a string. I personally believe that this will be an easier metaphor for many people to use once it’s commonly available than typing in an OpenID identifier.
I’ll also point out that it’s not a one-or-the-other choice between OpenIDs and Information Cards when letting the user decide. As was recently demonstrated, OpenID Information Cards can be used to deliver the OpenID identifier to the OpenID relying party, rather than having the user type it.
In conclusion, while it may seem esoteric, solving the “Home Realm Discovery†problem is essential to working digital identity deployments. And the usability of the solution chosen matters a lot. Using Andy’s terminology, I believe that its solution to this problem both accounts for some of “the juju that OpenID has†and may result in usability problems for less technical audiences that will need to be addressed if it’s to break out beyond just us geeks.
3 Comments » Posted under Federation & I-names & Information Cards & OpenID
3 Responses to “The Popularity of OpenID and How It Relates To “Home Realm Discovery—
Leave a Reply
You must be logged in to post a comment.
Eric Norman on 30 Sep 2007 at 11:36 pm #
Well I think you have to be real careful about saying “let the user decide”. Lots of relying parties have something at risk if they accept inaccurate claims. Hence, they are entitled to have something to say about who issued the claims they’re relying on. They may not require a single IdP to issue claims (or they may), but that’s not the same as letting the user make the decision.
It might be worthwhile making a distinction between users decisions about where IdP information can be found (desktop or URL of OP) versus who testifies about the accuracy of that information. At least in the non-self-issued case, that is.
And I have a question about the proposed OpenID information cards.
Does anyone think it’s appropriate to display the purple “log on with information card” icon if the only option a relying party will accept is an OpenID information card? This seems like it would be a nasty joke to play on users who are using (regular) information cards but don’t have an OpenID.
Mike Jones on 01 Oct 2007 at 12:29 am #
As usual, Eric Norman makes great points. “Home Realm Discovery†for self-issued identity information (such as OpenIDs) is a very different situation from discovery for managed identity providers providing verified claims. Do I believe that part of “the juju that OpenID has†is that it simply solves this problem in the self-issued case? Yes. Do I believe that that’s the end of the story for relying parties that want validated claims from third party identity providers? No. In that case, both the relying party and the user should have a say in which identity will be used. (Not so coincidentally, the Identity Selector model behind Information Cards accomplishes just this by allowing the user to choose from among only the cards that the relying party is willing to accept.)
And in answer to Eric’s second question, you’ll notice that Sxip’s sample OpenID Information Card relying party doesn’t just display the purple Information Card icon; it displays an icon containing both the OpenID and Information Card icons, which I believe is intended to evoke exactly the point that Eric is making: OpenID Information Cards accepted here.
Eric Norman on 01 Oct 2007 at 6:52 pm #
I don’t think “intended to evoke” is relevant. What is relevant is the mental model that users will form about such signals. Usability studies haven’t been done, but I’ll bet at least this much. If a user sees the purple information card icon and they have a (regular) information card, then they can probably use one to log in by clicking on the icon. If they see an OpenID icon nearby, my bet is that some user’s mental model says clicking on that will get them the regular OpenID prompt to type in a URL. Either that, or they might wonder what that OpenID stuff is. Remember, we might be dealing with users who have never heard of OpenID.
So Mike, I’m betting you a beer on this one. Now all we need is to have someone do the usability studies to settle the bet :) :) :)