Enterprise SSO #25
Comments
|
Somewhat related problem that often gets discussed in conjunction with this problem: First Party SSO. |
|
I'm going to close down this issue now that we have a fully dedicated section in the explainer: https://github.com/samuelgoto/WebID#enterprise Feel free to re-open if you fee like I failed to capture something from here in that section. |
|
Did you mean to link to your personal github?
|
|
I don't think deferring to Enterprise Policies and FPS is really sufficient. |
|
Re-opening this to make sure this doesn't fall through the cracks. |
|
We broke this into many smaller parts since this was initially filled, so I'm going to close this as we make progress on the individual parts. Feel free to re-open if you feel like there is something actionable here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enterprises rely on identity federation to enable single-sign-on on the Web today. Here is a typical example:
The problem?
Unfortunately, step (4) depends on many low level primitives that are being tightened up as a result of cross-site tracking, namely third party cookies, link decoration and postMessage.
Can First Party Sets help?
FPS is a formulation to allow user identity to span related origins, where consistent with privacy requirements. However, the intent of FPS is to bundle origins within a unifying organization. For example, https://google.com, https://google.co.uk, and https://youtube.com are owned by the same entity, as are https://apple.com and https://icloud.com, or https://amazon.com and https://amazon.de.
Back to our original example, it is clear that https://corporation.com and https://www.expenses-sass.com/ are not owned by the same organization, but rather a contracted service provided by two different organizations, so doesn't fit the FPS model.
Enterprise Policies?
The idea behind enterprise policies is that enterprises issue machines for their employees to do their work, and in doing so, have a tighter level of control and expectations about their use.
Enterprise policies are policies set by enterprise admins for machines that the corporation issues for their employees. These policies change a variety of browser behavior.
Enterprise SSO is different from consumer SSO in two ways:
The idea then, is to add enterprise policies that enable enterprise admins to set policies that lower the browser interventions for a specific set of origins.
One proposal is to allow enterprise admins to say “this specific origin IDP.example can communicate with other origins”. With that permission, IDP.example is then responsible for making a determination of which domains it trusts to integrate with.
For example, corporation.com could have an enterprise policy setting accounts.corporation.com as the IDP, which would allow things like https://www.expenses-sass.com and https://www.vacations-sass.com to pass through but disallow other unintended origins.
One shortcoming of enterprise policies is that they will probably need to be set specifically for each browser the employees of a corporation are allowed to use, so there is an extra cost involved to admins to manage their fleet of devices.
WebID and Enterprise Profiles?
WebID is a formulation to preserve federation under tighter privacy controls. However:
In BYOD (bring your own device) use cases, employees use their own personal devices to access corp resources. One interesting idea to be explored is using WebID to make the set up enterprise policies, possibly even kicking off a partitioned enterprise profile.
The text was updated successfully, but these errors were encountered: