Embed Size (px)
DESCRIPTION
Citation preview
OIDF Social Media for Retailers SummitMarch 8th, 2011
Steve BraunschweigerEastman Kodak Company
Senior IT Architect
Overview Objectives
– Enable the “One Kodak” Marketing strategy through B2C (Consumer) and B2B (Customer) “single identity” and “single sign-on” at Kodak hosted sites, Kodak licensed ASP sites and Kodak subscribed SaaS sites.
Deployment– Kodak is targeting 200,000 customers and 60 million consumers.– Consumers choose their OpenID identity provider and self-provision their account.– Customers only use the Kodak OpenID identity provider and the customer account
provisioning is managed by Kodak.
Results– [too early]
Lessons Learned– The B2C and B2B experience and infrastructure must be separate.
– Authentication is a critical service requiring the highest levels of availability.
– Security is a moving target requiring continuous investment.
2
Kodak OpenID Target User Groups
The Kodak OpenID Service is intended for large and/or dynamic “external” user groups that do not have Kodak Global IDs. External users access Kodak websites/resources from the internet.
• Consumer: a user who consumes services or purchases services
and products for personal or family use. • Customer: the user to whom Kodak sells business products.• Business Partner: A third party commercial entity conducting
business with Kodak under contract. (e.g., Software firm contracted to co-develop a new product with Kodak; Channel Partner that resells Kodak product)
• Retiree: a former Kodak employee receiving recurring payments under the Kodak retirement system based on past service as an employee.
• CSRs: A Call Center Agent/Call Service Representative that handles incoming or outgoing customer calls for a business. A CSR might handle account inquiries, customer complaints or support issues.
3
Kodak Consumer OpenID Sign In
4
Kodak Customer OpenID Sign In
5
Kodak OpenID Service Requirements
System Requirements …
Enable consumer (B2C) Single-Identity/Single-click signon & customer (B2B) Single-Identity/SSO across Kodak internet websites.
Authentication service should work for Kodak, ASP and Cloud hosted websites.
Service should consist of an “Identity Consumer”, an “Identity Provider” and an “Identity/User Data Object Store”.
The “Identity Consumer” and “Identity Provider” components should be able to run either local to a web application or through remote/central proxy services.
Service components must be OpenID standards based and able to be run On-premise or in the Cloud.
Key user profile and registration data should be stored in a “User Data Object Store” that can be easily queried by Kodak CRM systems.
6
Not Every Site Supports OpenID Authentication
Identity Federation Gateway Defined
• For the Kodak OpenID Service, an identity federation gateway is a service that allows a user to authenticate with their Kodak OpenID identity and gain access to Kodak on-premise, ASP hosted or SaaS web applications that only understand Windows or SAML authentication.
Identity Federation Gateway Use-Cases
• Customer authenticates at the B2B Portal with their Kodak OpenID and needs to access a report managed and hosted by Business Objects Enterprise (BOE). BOE as implemented at Kodak only understands Windows authentication and authorization.
• Channel Partner authenticates at the Kodak B2B Portal with their Kodak OpenID and needs to access Kodak’s instance of Oracle on Demand (OOD) SaaS. OOD only understands SAML based authentication and authorization.
7
The Kodak B2B iPortal Integration Framework
• The “iPortal" is a collection of web services intended to enable low-cost and rapid web sites integration. The goal is to lower or minimize technical barriers for Kodak developed, ASP licensed or SaaS subscribed web-site participation in the iPortal experience.
• The iPortal gives participating applications (web-sites) full control of the browser window and "injects“ simple portal managed navigation for seamless SSO access to other web sites.
• The iPortal is based on industry supported light-weight web services integration technology that enables participating web sites to evolve independently of each other and of the iPortal application/integration services.
• The iPortal application hosts a small set of highly customized customer facing first-contact screens (landing-page, global navigation bar and personalized “Dashboard”).
• The iPortal manages and/or hosts B2B customer authentication services using industry standard OpenID protocol technology.
8
BizID Automated account provisioning of “customer “ OpenID
accounts in UCX Middleware providing single system for reading profile
information and offline synchronization processing OpenID centric UI developed in house Configuration file/point for starting the OpenID discovery
process The B2B User Povisioning System (UPS) will use BizID web
services and pub-sub services to replicate and achieve "Eventual Consistency" with applications (subscribers).
9
10
Requests For the technology
– What changes would you like to see in OpenID, OAuth, Portable Contacts, Activity Streams, etc.
For the service providers– What changes would you like to see from the ID and social network providers (Google,
Facebook, Twitter, Yahoo, LinkedIn, Microsoft, AOL, PayPal, etc.)– What changes would you like to see from system integrators or other third party
aggregators of these services
11
12
