13
Open Identity at AOL Praveen Alavilli Authentication Team AOL LLC

Open Identity at AOL

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: Open Identity at AOL

Open Identity at AOL

Praveen AlavilliAuthentication TeamAOL LLC

Page 2: Open Identity at AOL

Open Identity at AOL 2

Why Identity Matters for AOL?

Increase global reach, usage and monetization of products, services, programming and platforms

Page 3: Open Identity at AOL

Open Identity at AOL 3

Well in simple terms …

• Allow any user that can be reliably identified –provide personalized services to a greater audience with a

lower barrier to entry –consumer can use an identity they already have

• Allow users to use their AOL Identity at any place on the Internet that accepts them

• Make the AOL identity more valuable in the Web 2.0 space by participating in the Open Identity Meta System

• Provide easier integration process for 3rd party

Page 4: Open Identity at AOL

Open Identity at AOL 4

Where in AOL ?

Many of AOL's value added services are Identity based

–personal services and public presence • Pictures, Video, Journals, Xdrive, AIM, WebMail, …

–high-value transactions • AOL Bill Pay, Finance, Portfolios, …

–personalization of existing non-identity based services• Mapquest, Magnets, …

Page 5: Open Identity at AOL

Open Identity at AOL 5

Identity evolution in AOL

• AOL Accounts (w/ account relations)

• AIM Accounts

• ICQ Accounts

• Delegated accounts – mac.com, userplane.com, etc.

• Domain based accounts – email address, vanity domains, personal domains, etc.

• Federated accounts – Verizon, hansenet, etc.

Page 6: Open Identity at AOL

Open Identity at AOL 6

We had to deal with ….

• Several Closed Systems of our own

• Different implementations & integrations– Several proprietary

• User experiences

• Client Vs web

• SSO from client to web and vice versa

• Up/Down sell processes to move identities from one type to another, and

• Authorizations and Subscriptions

• Identity Model itself

Page 7: Open Identity at AOL

Open Identity at AOL 7

What we learned …. the hard way !

• Keep Systems Open

• Need for a Flat Identity model

• Adopt Open Standards & Protocols

• Need for simpler and lighter federations both inside & outside of our “walled garden”

Page 8: Open Identity at AOL

Open Identity at AOL 8

We are looking at …

•OpenID •Liberty/SAML•CardSpace

Page 9: Open Identity at AOL

Open Identity at AOL 9

Things we tried so far …

• OpenID Provider (Relying Party Support underway)– All AOL/AIM users have an OpenID (openid.aol.com/<sn>)

• SAMLv2 Lightweight Web Browser SSO Profile 'aka' Simple Federation Protocol

– AOL - Verizon Bundling

• Verisign Seatbelt– Verisign’s effort to help solve phishing problems

• Liberty ID-FF/ID-WSF – AOL Radio Clients & some Media devices like D-Link

• Higgins STS (still in very early stages)

Page 10: Open Identity at AOL

Open Identity at AOL 10

the way we look at them ….

OpenID CardSpace Liberty/SAML

Pros no provisioning, toolkits/modules, simple and easy to implement and deploy

no service provisioning, consistent UI (phishing resistant), reasonable Trust level

solves a wide range of use cases, high trust, consent management for service invocation, details can be hidden from users

Cons Lack of Service invocation support, phishing, user awareness,Trust, user education

Complex WS-* protocol and message formats (mainly for IDPs), OS dependent, user education, lack of toolkits/modules, user self provisioning

complex protocols and frameworks, designed for Web services - not well suited for browser based services, lack of toolkits/modules, poor adoption, service provisioning

Page 11: Open Identity at AOL

Open Identity at AOL 11

OpenAuth

Our answer to the problems of– Complexity– Service invocation– Simple Provisioning– Identity for Web 2.0 applications

Page 12: Open Identity at AOL

Open Identity at AOL 12

OpenAuth

• Simple API to Authenticate AOL/AIM/ICQ Users

• Light-weight “provisioning” and easy integration/use

• Well known/understood Technologies – HTTP/TLS/XML/JSON/…

• Permission (Consent) Management

• Secure Token exchange for ‘deputization’ of services

• Designed for AOL Open Services Consumption

• Supports Redirect, AJAX, and Direct Models for Web 2.0 apps

• Also …– OpenID Provider (OP)– OpenID Authentication Token Exchange Extension – OpenID Consumer/Relying Party - accepts 3rd party OpenIDs

Page 13: Open Identity at AOL

Open Identity at AOL 13

Question/Comments….

http://dev.aol.com/openauth

[email protected]