Monday, 12 October 2009

Should universities be OpenID providers, consumers, both or neither?

JISC commisioned a report on OpenID which was published last December. There were comments at the time, in particular thinking about the differences between Shibboleth and OpenID. Since then many more providers have announced support for OpenID in some form, but I'm not aware of much activity within UK HE.

One criticism is that OpenID providers typically give no guarantee that a user is who they say they are, so we wouldn't want to use it to authenticate resources of real value. However a university could use it as a mechanism for public resources - for example external users could log in with OpenID to comment on a public university wiki.

I think there is more benefit right now in us becoming an OpenID provider. This is a way to "internalise external web services". When experimenting with Web 2.0 services I often find that colleagues are reluctant to try something. An important reason given is that remembering another username and password is a hassle. It's a fair point. We've worked hard to combine internal university services into one single sign on, and expecting different logons for external services is a large step backwards.

Notable services which allow you to log in via OpenID include:
  • - several web services including HighRise simple CRM
  • Zoho Office - web-based office software
  • comment on blogs at Blogger (but you still need a Blogger/GoogleID to create a blog)
  • Log in to Facebook via OpenID (but you need to have created a Facebook account without OpenID first)
Unfortunately that's almost it, out of what I would call notable services. Other organisations make the same judgment as us - there is more value in being an OpenID provider than an OpenID consumer. They don't want to lose the direct customer relationship. It tends to be the less established companies that fully support OpenID. 37Signals produce excellent webapps but are quite a small player. Zoho is also excellent but plays second fiddle to Google Apps. Those are two of the better companies who are OpenID customers. If we integrated their webapps into our portal I'd be happy that they aren't going to disappear overnight, but I would worry about a lot of the others. I worry when looking at the OpenID directory that I've never heard of most of the sites on the list.

None of these popular web services allow you to log in with OpenID:
  • YouTube
  • Flickr
  • Slideshare
  • Evernote
  • Eventbrite
Due to the importance of network effects I firmly believe you are better off using the market leading Web 2.0 services. I wouldn't encourage staff or students to use a Flickr clone just because it does OpenID. Building university services that tie in with Flickr itself is more likely to be successful, as that is where the content and users are already.

So what should we do? I think there is benefit for individual universities in becoming OpenID providers.
A mechanism for staff and students to comment on externally hosted blogs under their university ID sounds useful. We could even let students log on to Facebook through their university portal - or would that horrify them?

We could become providers at a national level by creating a gateway between OpenID and UK Access Federation, but which acts the opposite way round to the existing gateway. Should we start to think about reconstructing UK Access Federation on top of OpenID?

Or is all this just too soon - should we sit on our hands a little longer and hope more OpenID consumers emerge?