« FleSSR public cloud infrastructure update | Main | Google support for GoodRelations »

November 02, 2010

Google OAuth, OpenID and federated login research

In recent meetings on access management and single sign-on I've mentioned the usability work being done by the Kantara ULX Working Group and suggested that it represents real progress in terms of how the relatively complex 'federated login' experience should be presented to the end-user.

Eric Sachs of Google has written up some research that they've been doing in the same space - research that includes a significant mocked-up ecommerce website and videos covering the kinds of 'login' scenarios that they've been thinking about.

I think this represents a really interesting piece of work, especially if some of it is made available as open source code (as the post suggests might happen).

The website at openidsamplestore.com was built to demonstrate how a website that already allows users to login can help those users (and new users) leverage OpenID to login.  This provides a number of advantages for website owners such as:

  • Higher signup rates for new users and higher return/login rates by existing users
  • Lower customer support costs for handling problems with accounts
  • Improved account security by leveraging the security features and scale of large identity providers like Yahoo, Google, Microsoft, AOL, etc.

Users obviously also benefit from the improved user experience that can be achieved with OpenID.

The advantages outlined here seem, at first glance, to be most appropriate to e-commerce sites but I think they apply much more widely - to academic publishers, educational service providers, government websites, health websites and so on.

It'll be interesting to see how this work develops and whether the fact that it is being undertaken by Google means that it gains more traction and acceptance than might be the case with the Kantara work.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Google OAuth, OpenID and federated login research:


I was rather interested to find that the Google sample store recognises my company email address and invites me to log in with my company domain credentials. (Someone must have registered our domain with Google for this to work...)

The strange, and slightly worrying, part is that I am submitting my domain username and password direct to the Google domain, rather than being forwarded to any kind of local authentication. Admittedly it's over https, but even so I'm not sure our security auditors would like the idea of our domain passwords being processed on third-party servers... I didn't actually try it :)

my understanding is that, in your case, Google is not asking you for your company domain password because it is currently configured to use a local (to Google) password for that company email address. It could be hooked back into your domain (via SAML) but that isn't the case currently. Even if it were, the password would not flow via Google anyway.

Setting that to one side, it is clear that there is still significant room for confusion in this space!

Note that the demo is not just about using a Google Apps account to sign in to the demo Google sample store. It supports sign in via any service that supports OpenID/OAuth.

The comments to this entry are closed.



eFoundations is powered by TypePad