Post: Letter to CIO: OpenID, Please

tags: action, nptech, openid, code

I sent a letter to our CIO the other day asking for OpenID for the office. Strikes me that OpenID is one place where traditional interests of IT (ensuring users have access to what they need, compliance) jibe with those of Web 2.0 service users.

Anyway, I thought I’d share my letter because many of you may have need of the same arguments. I mention Active Directory by name because that’s what our IT folks know. Substitute LDAP if it makes you more comfortable.

Our office is going Web 2.0. We are all using a bunch of commercial web services out there, and we’ll be adding users to our internal ones soon. Logins are a problem, of course. So is identity. We want folks to use their workplace name, email addresses, etc — they are representing the office in using these services. And it would be great if we didn’t have to remember 37 different passwords? And it wouldn’t it be even better that, once someone leaves, we could turn off all of those identities — so that folks ex-employees can’t misrepresent themselves? All of this can be done with OpenID. OpenID is like Active Directory for the internet. It does single-sign-on for websites, in a way that keeps passwords secure. It also identifies people for these sites — giving the sites email addresses, names and so forth. OpenID is a standard. And right now it’s the only way to do single sign-on that’s widely used. Here’s some background reading HOW TO DO OPENID If we were to provide an OpenID for our employees, there are three ways to do it:</p>

  1. Use a 3-rd party provider like http://www.myopenid.com. Works great, but users have to be added manually and managed manually — independent of our usual processes for provisioning users.</p>
  2. Run an OpenID front-end to Active Directory like http://www.openid-ldap.org/. This means user management happens in one place. When somebody leaves, disabling of their Active Directory account shuts down their OpenId, too.</p>
  3. Use a non-dedicated service like AOL or Yahoo. Every AIM user already has an OpenID. For example, http://openid.aol.com/aimusername. Works, sort-of.AOL doesn’t know that business email addresses, so I have to type that manually. And that OpenID has AOL’s name on it, not ours.

Will let you know how the office debate goes. Meanwhile, does anyone have experience implementing an Active Directory to OpenID bridge? While option 2 seems to be the best way to go, we’d all feel better hearing from somebody who’s implemented it. Let us know in the comments.