Of course there is no constraint for being both an IdP and also a Service Provider (SP). Actually this is the most likely case to happen – in my view. I would not be surprised if Federated Identity Management will consolidate and happen for cases based on a dominant organization/service provider and other subordinated service providers, where the dominant organization plays both the IdP and SP roles and use federation to simplify the life of its customers, in a well controlled environment. This is already happening in telecom and outsourcing contexts …
In theory, being just an IdP would be the ideal case, with a clear “separation of duty” between who manage identities (on behalf of users) and who “consumes” them. But, in practice, does this make any sense? Here are some initial thoughts:
- Would the Identity Provider have to charge users to store their personal data and enable their SSO across various Service Providers? Not sure if users are really willing to pay for this kind of service …
- Would the Identity Provider have to charge Service Providers, let’s say on transactional basis? But would Service Providers (1) be willing to give up the control that currently have on personal data and (2) have also to pay for it?
- Would the Identity Provider make a living based on advertisement? Maybe, but then the temptation to use stored personal data for providing better, customised advertising to users or for potentially other purposes would be too strong. Would users be happy about this?
- Would the Identity Provider be the user itself? If so, what would be the practical implications?
I think this is an important aspect to understand - independently from various approaches, standards and technologies that are emerging (and competing) in this space – in particular for its implications on trust, privacy and assurance matters.
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment