Identity is a tough nut. We all know who we are but even in the physical world a raft of documentation is required to prove your identity to others. The Obama birth certificate is a perfect example of just how complex identity can be. In the virtual world the situation is much worse because of the ease at which bad actors can impersonate others. Even a casual user of the Internet will end up with identity information stored in multiple places protected by nothing more than a password. Your identities are only as safe as your passwords. A diligent person will use complex passwords and have different passwords for each web site/identity-store. This quickly gets unmanagable. Federated identity is proposed as a solution to this problem where you have a single identity provider which is trusted by other web properties to vouch for who you are.
That sounds like a great idea; one identity trusted by multiple services. The reality turns out to be a mess though because everyone wants to be that one trusted provider of your identity. To make matters worse there is no agreement on the protocols to be used for this identity federation. The aim of this blog is to discuss the pros and cons of the federated identity choices and to dive into security, privacy and programming considerations.