What is OpenID?
OpenID is an open standard for digital identity, typically using a URL to identify people – for example, http://dhague.myopenid.com/
OpenID “Providers” (such as myopenid.com, yahoo.com and myspace.com) run identity services which allow people to maintain their identity profiles, and act as a technical mechanism for single sign-on.
OpenID “Relying Parties” (RPs), such as ustream.tv, Oxfam International, identi.ca and the comments sections of many blogs, allow you to authenticate just by entering your OpenID URL, meaning that you do not need to remember a username and password for each site. What happens is that the RP redirects you to your OpenID Provider where you enter your OpenID password, and you are then redirected back to the original site as a logged-in user. If you have already signed in to your OpenID Provider recently, then you usually don’t have to keep entering your password – instead, you just click a button to allow the redirect back to the RP website.
Typically, this means that the first OpenID-enabled site you visit in a day means you enter your OpenID password, and the rest of the sites you visit log you on with a couple of clicks. I won’t go into all the technical detail here, except to say that the whole system is cryptographically secure. You can find all the details here: http://openid.net/specs/openid-authentication-2_0.html
Nice technology. So what’s the business case?
Unless SAP get into the Web 2.0 social networking business, why are we concerned about this? After all, it’s not like we’re going to let someone called http://www.myspace.com/fluffyxx near our SAP system.
Here’s where it gets interesting though: imagine that SAP were to implement an OpenID Provider service based on the NetWeaver User Management Engine (UME). In other words, every SAP user in your enterprise (which could be every employee if you’re running Employee Self-Service) would now have an OpenID like https://openid.mycompany.com/dhague. This OpenID Provider would only provide that ID to a relying party (RP) site if that user is valid and not locked in SAP. Now imagine that you are another company running a B2B sales website. You can implement an OpenID login module (such as the one described in Martin Raepple’s article), but with a twist: you add a config table containing the domain names of all your business partners, and whenever a new customer company signs up for your service, you add their domain name to the table. The OpenID login module would only allow a user into your site if their OpenID belongs to an existing customer’s domain.
So what does this all mean to the businesses concerned?
- The B2B website offers an ease-of-use benefit to their customers by providing single sign-on through OpenID.
- The B2B website offers easier registration (OpenID Providers can provide a user’s profile data to a RP) and eliminates duplicate accounts for the same user.
- The B2B website doesn’t have to deal with “forgotten password” requests from buyers, no matter how long it is since they last logged in.
- When an employee leaves a customer company, the company disables the employee’s SAP account. This means that the employee is instantly barred from logging into any OpenID-enabled website using his corporate NetWeaver-enabled OpenID. This is a really big win – without OpenID, think of the time and trouble to contact every single business partner website and close down the employee’s account on each one, during which time a disgruntled ex-employee could be causing purchasing chaos.
- Because every OpenID login to a B2B site is done via a redirect to the user’s OpenID Provider, the customer company automatically has a record of every login to a business partner’s site.
- Using SAP’s role concept in UME allows fine-grained access control. The OpenID Provider could be written so that it will only allow login to an approved list of partner sites, and this list could be governed by a user’s roles. For example, all employees would have OpenID-based access to a third-party flexible benefits provider, but only purchasing managers would have access to office equipment suppliers. This puts role-based control where it belongs – back at the company doing the buying, not in the hands of the B2B site doing the selling.
Implementing OpenID in SAP NetWeaver as both a Provider service and Relying Party login module means that users get a smoother experience via single sign-on, websites have less user management to do, companies have better control over what their users do, maverick spending is reduced, and corresponding disputes are avoided.