Thursday, March 15, 2007

Delegation is the new SSO

Delegation seems to have popped up from the identisphere as the hot meme de jour.

I know that just about every use case we discussed at a recent Ipswich (who says UK spring weather sucks?) meeting of the Liberty Alliance Technology Expert Group could be modeled as some form of delegation.

Examples include
  • a client delegating the right to a network provider to serve up identity attributes on a user's behalf if and when the client was unavailable
  • an IDP delegating the right to a client to mint assertions on its behalf if and when the IDP was unavailable
  • a Mom delegating the right to members of her extended family to view online photos
  • a business owner delegating the right to an accounting firm's accountants to view/submit to the business's account at a government tax agency
The last two are particularly interesting for me because of their implications for the Liberty People Service. As it currently stands, the People Service perfectly supports the Mom and her photos (it was designed to) but doesn't elegantly support the latter. (it also hit home personally because of my own recent experience with the Government of Canada, see photo)

As we roughed it out this week, a solution might work something like the following

  1. BusinessOwner adds a group for his accounting firm CheckYourBooks to the company's People Service
  2. The new group, instead of directly defining a collection of specific individuals, instead points at a different group managed by a CheckYourBooks admin in that company's People Service
  3. BusinessOwner visits GovernmentTax and sets delegation policy by saying 'Allow members of CheckYourBooks to access my tax account'.
Subsequently, when an accountant from CheckYourBooks arrives at GovernmentTax, GovernmentTax will be able to determine that she is authorized by dint of her membership in the relevant (once removed) group. Consequently, she will be given appropriate access to BusinessOwner's tax accounts and can get to work claiming hot-tub purchases as business expenses (ha-ha, now that would be just crazy Mr CCRA Auditor, just wrong)

Importantly, if and when BusinessOwner discovers that the CheckYourBooks CEO has been skimming off the top and has moved with his mistress to the British Virgin Islands, it's easy to shut off access and switch it to the new accounting firm (until such time they feel the call of the sun).

No comments: