The event is for the owners of consumer websites, citizen oriented government sites, and enterprise SaaS services to discuss how to improve login systems by using techniques such as OAuth, OpenID and an Account Chooser.

Please join us on Wednesday, March 28th, 2012 from 10:00 until 17:30 GMT.

Registration is now open at the following link: REGISTER NOW!

Location:
Microsoft London Office, Cardinal Place, 80-100 Victoria Street, United Kingdom, SW1E 5JL

AGENDA:
10-11am: OAuth as the core Internet identity protocol

• Don Thibeau (Executive Director of the OpenID Foundation and Open Identity Exchange)
• Kick Willemse (OpenID Foundation Board Member and CEO of Prooflink)
• Description: A high level overview of the protocol, and an explanation of why major technology companies have standardized on it including Google, Microsoft, Facebook, Yahoo, etc.  We will also discuss how the functionality of the OpenID v2 protocol has been reimplemented on top of OAuth to create OpenID Connect.  The session will also discuss the security problems of websites that run their own password based login systems.

11am-Noon: Bridging Internet Identity protocols

• Patrick Harding (CTO, Ping Identity)
• Description: While OAuth is the main protocol for new Internet identity systems, most companies still need to deal with a mix of other protocols, including their own internal sign on system across the different parts of their website, as well as for employee signing sign on.  Learn about how to use a token management service to bridge between those different protocols.

Noon-1pm: Lunch

1pm-2pm: Using Social Login to get more out of logins then just an email

• Patrick Salyer (CEO, Gigya)
• Vidya Shivkumar (Director of Products, Janrain)
• Description: While logins used to just be about email and password, there is now the potential to do much more using popular consumer identity providers such as Twitter, Yahoo, Facebook, Google, Microsoft Live, etc.  This session will discuss the success many websites have already had with this model.

2pm-3pm: Improving the user experience of sign-in using an Account Chooser

• Eric Sachs (Senior Product Manager, Identity, Google)
• Description: Google and other sites have started to roll out a new login experience called an Account Chooser.  Get an overview of how it works, and learn why companies like Google are making this change.  The session will also explain why it is so much easier for a website to add support for identity providers (both consumer and enterprise) after first deploying an account chooser.

3pm-3:30pm: Snack break

• The second part of the session only has room for 100 people. We will check badges at this point and you will only be able to join the second session if you registered for it online. However everyone is welcome to join the snack break

3:30pm-4:30pm: Verifying real world identity on the Internet

• Philip Stradling (Senior Program Manager, Identity, Microsoft)
• Andrew Nash (Director of Product Management, Identity, Google)
• Don Thibeau (Executive Director of the OpenID Foundation and Open Identity Exchange)
• Description: How do websites know which identity providers to trust, and visa versa? Also learn how governments are using the same techniques discussed at this conference to engage with citizens online.

4:30pm-5:30pm: Strong authentication and identity verification

• Ingo Friese (R&D project manager, Deutsche Telekom AG; Telekom Innovation Laboratories)
• Andrew Nash (Director of Product Management, Identity, Google)
• Description: Hear how large consumer websites like Google are using mobile phones today in addition to passwords.  Learn how you can confirm attributes about a user on your website such as name, address, etc. This session will describe the working groups in the Open Identity Exchange that are focused on this topic, and will include demonstrations of live systems.

In addition to the presentations above, Ping Identity is also hosting a similar event the previous day.  If you’re a security architect, IT manager, SaaS product manager, eBusiness leader, CSO, CTO, or CIO leveraging the Cloud to change your business, it’s a day of identity security best practices you don’t want to miss.

Best regards,

Don Thibeau, Executive  Director
OpenID Foundation

Hosted by:

OpenID   Microsoft   Google

• Basic Client Profile – Simple self-contained specification for a web-based Relying Party. (This spec contains a subset of the information in Messages and Standard.)
• Discovery – Defines how user and provider endpoints can be dynamically discovered.
• Dynamic Registration – Defines how clients can dynamically register with OpenID Providers.
• Messages – Defines all the messages that are used in OpenID Connect. (These messages are used by the Standard binding.)
• Standard – Complete HTTP binding of the Messages, for both Relying Parties and OpenID Providers.
• Multiple Response Type Encoding – Registers OAuth 2.0 response_type values used by OpenID Connect.

The voting results were:

• Approve (86 votes)
• Disapprove (1 vote)
• Abstain (2 votes)

Total Votes: 89 (out of 363 members = 25% > 20% quorum requirement)

An Implementer’s Draft is a stable version of a specification providing intellectual property protections to implementers of the specification.

The specifications are posted at these locations:

• http://openid.net/specs/openid-connect-basic-1_0-15.html
• http://openid.net/specs/openid-connect-discovery-1_0-07.html
• http://openid.net/specs/openid-connect-registration-1_0-08.html
• http://openid.net/specs/openid-connect-messages-1_0-07.html
• http://openid.net/specs/openid-connect-standard-1_0-07.html
• http://openid.net/specs/oauth-v2-multiple-response-types-1_0-03.html

A description of OpenID Connect can be found at http://openid.net/connect/.

The working group page is http://openid.net/wg/connect/.

This OpenID summit gives web site developers and technologists a closer look at the OpenID Connect protocol, its use cases and adoption plans by leading companies. We will introduce “Account Chooser” its implementation and user experience and provide interop testing and feedback for next generation OpenID adoption.

 Please join us on Monday, September 12, 2011 from 12:00 Noon until 5:00pm PDT and Tuesday, September 13, 2011 from 10:00am to 5:00pm PDT.

 Registration is now open at the following link: REGISTER NOW!

 Location:
Microsoft Research Silicon Valley Campus – 1288 Pear Avenue, Mountain View, CA  94043

OpenID Connect Tech  Summit 

AGENDA: Monday,
September 12, 2011 – 12:00pm-5:00pm

Noon: Lunch will be provided for attendees

12:00-12:20 – Welcome
Don Thibeau, Executive Director, The OpenID Foundation

Technical Sessions

12:20-1:00 – Overview and Update of OpenID Connect and OAuth 2.0, Mike Jones, Microsoft,
Director of Identity Partnerships

1:00-3:00 – OpenID Connect Spec development (Working Group Review led by Allen Tom and Mike Jones)
[2 hours]

• Timing goals for ratification
• Core protocol
• Dynamic RP registration and IDP discovery
• Claims
• Session Management
• Artifact Binding
• US Government OpenID Connect profile

3:20-4:00 – Open time for Technical Interop,  Allen Tom & Mike Jones [60 min]

4:00-4:40 – OpenID Connect: Building Test Infrastructure, Roland Hedberg

4:40-5:00 – Wrap-up, Don Thibeau, Executive Director, The OpenID Foundation

AGENDA: Tuesday, September 13, 2011 – 10:00am-5:00pm

Business Session

10:00-10:20 - Welcome Don Thibeau, Executive Director, The OpenID Foundation

10:20-11:00 - Feedback Review OpenID Connect Mike Jones, Microsoft
and Allen Tom, Directors, The OpenID Foundation

11:00-11:40 - Overview and Update of Account Chooser,  A presentation on a new sign in experience for the web, how to get involved, and an update on the legal status of related IP. Scott David, K&L Gates,  Basheer Tome,  Independent & Eric Sachs, Google

11:40-12:20 – Migrating Users to Identity Providers From Email/Password Logins”,  A Summary of the experience of websites, including Google, that have started to migrate users from traditional logins to identity providers.  Eric Sachs,  Google, Product Manager

12:20-1:00 – Lunch

1:00-1:40 – Microsoft as an RP and IDP, Speaker (TBD)

1:40-2:20 – Way Beyond Single Sign On, Greg Keegstra, Janrain

2:20-3:00 – The Value Proposition for OpenID Connect & Account Chooser in the Enterprise, Pam Dingle, Ping Identity

3:00-3:20 – Break

3:20-4:00 – Open Identity and Online Adoption, A discussion on trends in the adoption of social login among online businesses. Patrick Salyer, Gigya

4:00-4:40 – OpenID Connect & UMA Synergies, OpenID Connect and User-Managed Access (UMA) solve interestingly complementary problems.  This session will explore use cases and proposals for combining them.  Macie Machulak

4:40-5:00 - Wrap up Don Thibeau, Executive Director, The OpenID Foundation

Best regards,

Don Thibeau, Executive  Director
OpenID Foundation

Additional information is available at:

http://openid.net/connect/

http://accountchooser.com/

Hosted by:

OpenID Connect uses the best practices of widely used OAuth/REST/JSON based APIs to define a standard and interoperable way to authenticate users.  Developers should care because rather than having to learn an new and slightly different version of essentially the same API every time they want to integrate with a different identity provider, they can just do it in a standard way using a consistent interface.  In the long run, OpenID Connect will make the web more interoperable, because it makes it easier for developers to integrate with multiple services.

FYI, the working group *is* planning to reorganize the specs to have the minimal set of OpenID Connect functionality be contained in a single document, although this will likely not be in place for a few weeks.  Even before that is done, we wanted to make people aware of this set of specs now so early implementation work and technical feedback can occur.  Remaining edits to the specs should consist of corrections, clarifications, and reorganization, rather than additions of significant new functionality.  For now, developers should start with the (admittedly awkwardly named) OpenID Connect HTTP Redirect Binding spec.

Let the feedback and prototyping begin! [*1]

[*1] The easiest way to do is to join the AB list at http://lists.openid.net/mailman/listinfo/openid-specs-ab, submit the contribution agreement from http://openid.net/intellectual-property/ (which you can now do online!), and then send comments to the openid-specs-ab@lists.openid.net .

The “co-evolution” of OAuth and OpenID

Late last year, the members of the OpenID Artifact Binding and OpenID Connect Working Groups joined forces to develop a simple, common specification. The result had been informally referred to as “OpenID Artifact Binding/Connect” or “OpenID ABC”. Key contributors from both working groups have been working on a core specification ever since. Weekly specification calls have methodically focused on identifying and closing open issues. A key milestone was reached at IIW earlier this month: the remaining open issues were identified, tradeoffs debated, and all issues closed – with consensus decisions recorded in the Artifact Binding mailing list archives. The working group is now refining the specifications to reflect those decisions, as well as tracking the evolution of closely related specifications like OAuth 2.0.

Having passed this gate, the OpenID board decided to brand the result “OpenID Connect” and solicit as wide and diverse feedback as possible. The OpenID Retail Summit at PayPal, the “Security” Summit at Symantec, and last week’s OpenID Summit in Munich at the European Identity Conference all featured detailed briefings and feedback on OpenID Connect. While still a work in progress, OpenID Connect has achieved the levels of participation and consensus needed to advance to the next phase: interoperability testing for multiple use cases in several venues worldwide. We’ll continue to engage developers and potential deployers about OpenID Connect at upcoming OpenID Summits, including the next summit on July 19 in Colorado sponsored by Ping Identity, in to better understand, critique, refine, test, and ready OpenID Connect for prime time.

A look under the hood of OpenID Connect:

- web and developer friendly, building upon OAuth 2.0 and JSON
- simple site registration functionality (the “Connect” part)
- works well on mobile phones (the “Artifact Binding” part)
- simple JSON-based claims model
- reuses claims definitions from existing Portable Contacts specification
- can achieve a range of security characteristics, spanning use cases from social networks to those needing higher levels of assurance
- modular specifications, so deployers need only implement the functionality their applications need.

The strength of the open standards is the ongoing scrutiny from a global community of supporters and skeptics. Progress depends on those with the “courage of the first draft.” Our special thanks go to OpenID Board members Mike Jones, Nat Sakimura, and John Bradley, together with Breno de Medeiros from Google and Chuck Mortimore from Salesforce: working group participants whose dedication and perspectives were critical to building consensus, closing the open issues, and setting the stage for OpenID’s next act.

Don Thibeau
Executive Director

We plan to take advantage of face to face discussions on the around the next version of openID.

For those attending and others I want to point to the various potions of the spec work so that people have that in hand for IIW.

One of the changes from openID 2.0 is that the new specification is more modular.

The following diagram illustrates the components and links to the specs:

(Click on the diagram to see each specifications.)

Everything is built on top of OAuth 2.0 and the Bearer Token Profile of OAuth.

We are supporting multiple OAuth Flows for different device types.

The heart of OpenID Connect is the Core spec that describes the abstract protocol.

Discovery of user identifiers such as email for URI is performed by a profile of Simple Web Discovery

Session Management is currently a separate spec, however it may be folded into Core.

Revised: Core 1.0d03 incorporates the session management endpoints and eliminates some duplication.

Outstanding Issues

We are hoping to use our face 2 face time around IIW to resolve some of the outstanding issues:

We will be producing a implementers guide to make it easier for people to build clients without having to wade through all of the separate specs.

Expect an update after IIW in May.

John B.

Just before the latest Internet Identity Workshop, a few dozen members of the OpenID Foundation met at Facebook for a technology summit. Sessions ranged from the future of OpenID – looking at Connect and Artifact Binding – to details around profile data, signing, and encryption. Over the afternoon the group came to consensus around a number of different technical proposals.

You can find my notes from the day at http://bit.ly/b69H7d and we encourage you to continue discussion on the mailing lists. If you were at the Summit, please feel free to add anything we may have missed.

This announcement is significant for several reasons:

1. The number and breadth of industries represented by the new members
2. The use of OpenID by member companies for commercial transactions
3. Collaboration between OpenID Japan and Liberty Alliance Japan
4. An earlier survey by internet.com and Marsh Research of Japanese internet users found that 28% of knew about OpenID and 15% were using OpenID

Congratulations to OpenID Japan on these significant milestones.

There was some discussion from a few people yesterday claiming that Google’s implementation was a fork of OpenID. Today, Eric Sachs, Google’s lead on this effort, has another post responding to some of this early criticism:

That registration requirement also led to some confusion because users wanted to be able to use existing websites that accept OpenID 2.0 compliant logins by simply entering gmail.com (or in some cases their E-mail address) into the login boxes on those websites. … Once the XRDS file is live, end-users should be able to use the service by typing gmail.com in the OpenID field of any login box that supports OpenID 2.0, similar to how Yahoo users can type yahoo.com or their Yahoo E-mail address (In the meantime, if you feel really geeky, you can type https://www.google.com/accounts/o8/id into an OpenID 2.0 login box).

Although these are both considered “preview releases” by both companies, the fact that they have put code out there that developers can start to work with is absolutely fantastic. Both Google and Microsoft have stated that these are testing implementations and as such, their may be certain limitations while they work on localization, scaling and general UI.

Mike Jones talks about some of the details of the Microsoft LiveID testing:

One feature of the OpenID 2.0 implementation that I’d like to call your attention to is that they give users a choice, on a per-relying party basis, whether to use a site-specific OpenID URL at the site for privacy reasons, or whether to use a public identifier for yourself – explicitly enabling correlation of your identity interactions on different sites.

We also have an episode of theSocialWeb.tv where we have Eric Sachs from Google talking about this historic week with David Recordon, Joseph Smarr and John McCrea:

While OpenID has seen rapid adoption in the “user generated content” segment (blogs, discussion groups, wikis, etc.), we were very excited to see increased interest from mainstream media companies and affinity organizations. Participants at this event included AARP, AOL, BBC, Google, Hearst Magazines, JanRain, Meredith, MySpace, National 4-H, National Public Radio (NPR), The New York Times, Reed Business Information, Six Apart, Time Inc., Vidoop, and Yahoo!.

Throughout the day we covered a wide range of topics including:

• Business case for OpenID — use cases and economic impact
• Best practices for OpenID Providers and Relying Parties in the areas of user experience, data support, security, and product features
• Optimal Content Provider user experience
• Data Management — sources, integration, industry specific data, accuracy, security & trust
• Coming Enhancements — Provider Authentication Policy Extension (PAPE), OAuth, Portable Contacts API, MySpace Data Availability, and integration of OpenID into browsers.

Yahoo!, Google, and MySpace all presented information about their OpenID Provider services, thoughts on user experience and lessons learned, and some future plans. National 4-H presented a summary of an OpenID-based integrated National, State, and Local web platform that they will be deploying in the coming months. We shared a case study on Japan Airlines (JAL) federated partner commerce using OpenID with the proposed Trusted Data Exchange (TX) extension that Nomura Research Institute (NRI) has been developing. There was extensive discussion between existing and potential Relying Parties and the OpenID Providers about what would facilitate faster and broader adoption of OpenID in the Content Provider community. The session was moderated and feedback captured by Market Focus, a strategic marketing consulting firm who will be performing additional customer and market research on behalf of the OpenID Foundation.

If other content providers would like to join this advisory committee, please contact Johannes Ernst or Brian Kissel of the OpenID Foundation Customer Research Committee for further information.

Additionally, many members of the OpenID community will be attending the upcoming Internet Identity Workshop (IIW) on November 10-12 at the Computer History Museum in Mt. View, CA. This will provide a great venue for face to face discussions and additional opportunities to provide input and feedback on the future direction of OpenID.