Upload
sampetruda
View
591
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Open Identity at AOL
Praveen AlavilliAuthentication TeamAOL LLC
Open Identity at AOL 2
Why Identity Matters for AOL?
Increase global reach, usage and monetization of products, services, programming and platforms
Open Identity at AOL 3
Well in simple terms …
• Allow any user that can be reliably identified –provide personalized services to a greater audience with a
lower barrier to entry –consumer can use an identity they already have
• Allow users to use their AOL Identity at any place on the Internet that accepts them
• Make the AOL identity more valuable in the Web 2.0 space by participating in the Open Identity Meta System
• Provide easier integration process for 3rd party
Open Identity at AOL 4
Where in AOL ?
Many of AOL's value added services are Identity based
–personal services and public presence • Pictures, Video, Journals, Xdrive, AIM, WebMail, …
–high-value transactions • AOL Bill Pay, Finance, Portfolios, …
–personalization of existing non-identity based services• Mapquest, Magnets, …
Open Identity at AOL 5
Identity evolution in AOL
• AOL Accounts (w/ account relations)
• AIM Accounts
• ICQ Accounts
• Delegated accounts – mac.com, userplane.com, etc.
• Domain based accounts – email address, vanity domains, personal domains, etc.
• Federated accounts – Verizon, hansenet, etc.
Open Identity at AOL 6
We had to deal with ….
• Several Closed Systems of our own
• Different implementations & integrations– Several proprietary
• User experiences
• Client Vs web
• SSO from client to web and vice versa
• Up/Down sell processes to move identities from one type to another, and
• Authorizations and Subscriptions
• Identity Model itself
Open Identity at AOL 7
What we learned …. the hard way !
• Keep Systems Open
• Need for a Flat Identity model
• Adopt Open Standards & Protocols
• Need for simpler and lighter federations both inside & outside of our “walled garden”
Open Identity at AOL 8
We are looking at …
•OpenID •Liberty/SAML•CardSpace
Open Identity at AOL 9
Things we tried so far …
• OpenID Provider (Relying Party Support underway)– All AOL/AIM users have an OpenID (openid.aol.com/<sn>)
• SAMLv2 Lightweight Web Browser SSO Profile 'aka' Simple Federation Protocol
– AOL - Verizon Bundling
• Verisign Seatbelt– Verisign’s effort to help solve phishing problems
• Liberty ID-FF/ID-WSF – AOL Radio Clients & some Media devices like D-Link
• Higgins STS (still in very early stages)
Open Identity at AOL 10
the way we look at them ….
OpenID CardSpace Liberty/SAML
Pros no provisioning, toolkits/modules, simple and easy to implement and deploy
no service provisioning, consistent UI (phishing resistant), reasonable Trust level
solves a wide range of use cases, high trust, consent management for service invocation, details can be hidden from users
Cons Lack of Service invocation support, phishing, user awareness,Trust, user education
Complex WS-* protocol and message formats (mainly for IDPs), OS dependent, user education, lack of toolkits/modules, user self provisioning
complex protocols and frameworks, designed for Web services - not well suited for browser based services, lack of toolkits/modules, poor adoption, service provisioning
Open Identity at AOL 11
OpenAuth
Our answer to the problems of– Complexity– Service invocation– Simple Provisioning– Identity for Web 2.0 applications
Open Identity at AOL 12
OpenAuth
• Simple API to Authenticate AOL/AIM/ICQ Users
• Light-weight “provisioning” and easy integration/use
• Well known/understood Technologies – HTTP/TLS/XML/JSON/…
• Permission (Consent) Management
• Secure Token exchange for ‘deputization’ of services
• Designed for AOL Open Services Consumption
• Supports Redirect, AJAX, and Direct Models for Web 2.0 apps
• Also …– OpenID Provider (OP)– OpenID Authentication Token Exchange Extension – OpenID Consumer/Relying Party - accepts 3rd party OpenIDs