The one way relationship between our user accounts and the MIS database also makes it difficult to engage with new users online. If you can’t get an account until you become a student, how do you allow potential students to apply online if all your systems are integrated with single sign-on? And if you can’t authenticate the online identity of your users, how do you set initial passwords into your system? Or allow them to reset a forgotten password online?

Internet companies never struggled with this issue, as their customers could only approach them online, but most universities built systems around paper applications and have fond (and relatively recent) memories of offering their students their first internet experience. It’s still not unusual for universities to offer their students their campus computing account with a default password based on supposedly secret data shared between the user and the school. But your SSN, birth date, and mother’s name are no longer secret. A proposed change in FERPA policy (see the the top of page 15586 in the NPRM) would have barred the use of “a common form user name (e.g., last name and first name initial) with date of birth or SSN, or a portion of the SSN, as an initial password to be changed upon first use of the system” in systems that store academic data. The final rule excluded that provision, much to the relief of those schools with more lobbying clout than brains.

Platform Choices

Rather than wait to see how the ruling played out last year, we went to work trying to improve security while easing access to our systems (no, that is not self-contradictory). Our challenges were thus:

• Fix initial password assignment
• Fix password resets
• Allow users with a loose or undefined relationship to the institution to create limited accounts for the purpose of interacting with the institution or its members

We considered a number of paths to a solution, including hacking of our university portal (which hosts the CAS single sign-on in our environment), expansion of a limited home-built solution, and a review of commercial and open source products and frameworks. We simplified the problem by confirming that the FERPA rule did not require us to authenticate the “real life” identity of a person; rather, we had only to validate the online identity of a person (saving us from needing to do things like send confirmation PINs by postal mail to a person’s home address).

In the end, we chose WordPress MU. Significant factors were our experience with the software (all the MIS developers use it personally), the extensibility of it as an application platform, the development focus on user experience (especially in recent versions), and our interest in using it as a framework for other user-facing services (especially BuddyPress).

Our Needs vs. WordPress

• The system must serve as the front end to our single sign-on environment, using our AD and LDAP password stores to authenticate users who have accounts in those systems.
• External email addresses, once verified with some challenge/response, can be used to reset a password.
• Users who are presently affiliated with the school have a school-provided email address, but no external address with which to reset their lost passwords.
• Users who are not presently affiliated with the school have no school-provided email address, and must verify their external email address before their account is activated. They can then set their own password once they verify their email address.
• The ability to send password reset codes via SMS would be nice (especially considering the number of long-time employees of the university who do not have personal email accounts), though that also requires the verification of the user’s cell phone number.

After reviewing what we wanted to do, we surveyed WordPress’ code to develop an implementation plan. And, because a number of aspects of our application process were changing, we decided to focus on allowing current users to self-reset their password and postpone development of account self-creation features for new users. Still, a few issues quickly emerged:

• WordPress requires a username be assigned to each user, rather than relying on email address (this is likely to change in WP 2.9) Creating a new username for our users is unacceptable, but adding a large number of new users to our existing username space will quickly deplete the “good” usernames. And changing a user’s username as their affiliation with the institution is unacceptable.
• The core user authentication function can be replaced with our own function. (And in 2.8 it became filterable)
• WordPress MU will validate email addresses, but the system isn’t built to be extensible.
• WordPress only stores one email address per user, but the user meta system can be used to store a second one. Unfortunately (and in a manner inconsistent with post meta), only one value per meta key per user is allowed, making it difficult to allow users to have an arbitrary number of email addresses associated with their account.
• The function that identifies a user by a given email address can be replaced with a function that also checks the secondary address.
• WordPress user profiles have no phone field, but the user meta system can be used to store one. A function to identify a user by a given phone number must also be created.
• Unlike some settings pages, the fields on the user profile editor cannot be changed simply by modifying the $wp_settings_fields array.
• Upon doing a password reset, the user is sent a temporary password, rather than being allowed to set a new password. This contradicts University policy about how passwords are used and communicated and could train users that sending passwords by mail is acceptable.
• The various functions in wp-login.php cannot be replaced, and in WP 2.7 the code had no way to add or replace various login actions (WP 2.8 changed that).
• WPMU-specific functions don’t always follow WP coding standards or models.

(Note that we began our work and deployed the system under WPMU 2.7. WPMU 2.8 included a few changes that made the process easier. I’m proud to say that some of those changes were a result of code we offered back to WP during our development.)

What We Did

• We decided that email addresses (both PSU addresses and external addresses), as well as PSU usernames would be acceptable identifiers for an account, and that a person should be able to log in to our web services using any of those identifiers. So…
• We replaced wp_autenticate() with our own function that accepts either email address or university username, checks to see if the user exists locally, checks to see if they exist in AD or LDAP, confirms their password, provisions their WordPress account (for university users who’ve not logged in via this method yet), establishes a session with our university portal and redirects them there (unless $redirect is set to something more specific that the dashboard).
• We decided to replace WordPress’ usernames with a random string matching a pattern we established. This became the WPID. Doing this required us to hide references to username (easy if you set a preferred display name)
• To store phone numbers and secondary email addresses, and allow users to edit those within their profile, I created the Alternate Contact Info plugin (browse source). This requires more use of output buffering than I’d like, but it gets the job done.
• To confirm email addresses and phone numbers via a challenge/response message (and support other interactions), I created the WordPress Ticket Framework plugin (my introduction, browse source).
• To send messages via SMS, we used my wpSMS plugin (in the plugin directory, browse source).
• Matther Batchelder re-skinned the login screen via a plugin that inserts our custom CSS.
• After determining that our university portal could not be made to authenticate via CAS, I gave up work on my wpCAS Server plugin and developed another method to initiate the portal session (which then establishes a CAS session using the portal’s CAS server).
• We replaced most of the functionality of the wp-login.php page (by hacking core at first, then taking advantage of the action hook in 2.8). In doing so we were able to change the password reset behavior to allow users to immediately change their password after entering their reset code (which was sent to their email address or phone via SMS).

Over time we extended the system to host multiple domains and replace our CMS. Soon we’ll consolidate our  public blogging instance into it, and we’re building an invite system that we can use to invite people to join our community.

What It Looks Like

The re-skinned WordPress login

Entering an email address or username to get a password reset code

SMS text with password reset code

Enter the password reset code from the SMS text message here, or follow the link from the email

Extended contact information in the WordPress profile

And that’s how we replaced our authentication system with WordPress, gained self-service password resets, and built the foundation to invite new users into our system.

I’m not really part of the Jasig CAS Community (learn more), but I do maintain the wpCAS WordPress CAS client and I’ve started development of a CAS server component for WordPress. That project is on hold because one of the products that I’d expected to integrate with it doesn’t use standard CAS and the vendor of that app has chosen to modify the JASIG CAS server to support their apps.

The standard is the protocol, not the server application, though we probably won’t really understand that until we see more CAS server implementations. Nonetheless, it’s important to keep that point in mind if we we hope to grow the usefulness of CAS.

I’m working to integrate an application on a remote-hosted IIS server into our CAS environment. CASisapi (svn trunk or svn tags/production) may do the trick, though Phil Sladen struggled with it (in 2005). There’s reason to doubt it. Not only is the sparse information all old, I first learned about it from a page full of broken links and the apparent author recommends against it. There’s a little more information here for those who can read Danish.

UC Davis’ CAS ISAPI client may be a better solution (it certainly looks easy to install). Builder AU talks about .NET + CAS, and Case Western has a lot of documentation. Only partially related: it looks like World of Warcraft uses CAS.

CAS — Central Authentication Service — has no logo, but it’s still cool. Heterogeneous environments like mine offer hundreds of different online services or applications that each need to authenticate the user. Instead of throwing our passwords around like confetti, CAS allows those applications to identify their users based on session information managed by the CAS service. It also obviates the need for users to offer their credentials to potentially untrusted systems — think externally hosted systems.

So CAS is great, but what about WordPress integration? Andrej Ciho and Stephen Schwink both worked on the problem and were kind enough to share their solutions with the community. Now, building on their work, I’ve released the WordPress CAS plugin we’re using at Plymouth State.

It’s compatible with both regular WordPress and WordPress MU. You can configure it via a settings menu, or a conf file. And if the CAS user doesn’t exist in WordPress, the plugin can call a function you define to provision an account for them or do whatever you want. It’s written for easy maintenance — your configuration info won’t be lost if you svn up, for example — and convenience, but then, you also have to have a working CAS environment going before it’s useful.

Get my wpCAS WordPress CAS plugin, or read more. And here’s the announcement on CAS user mail list.

Atlassian’s Crowd SSO and IdM solution has the kind of online pricing you’d expect for word processing software. I don’t know if it’s any good, but it’s a sign that identity management getting boring.

Following news that Yahoo! is joining the OpenID fray, it appears Google is dipping a toe in too. While those two giants work out their implementations, others are raising the temperature of the debate on IDM solutions. Stefan Brands is among the OpenID naysayers (David Recordon’s response), while Scott Gillbertson sees a bright future. Let’s watch the OpenID Directory to see how fast it grows now (count on January 19 2008: 446).

Ars notes that Yahoo! supports OpenID. Yeah, that OpenID.

The conversation on Code4Lib about OpenID reminded me to finish a draft I’d started at Identity Future on the topic.

The short of it is that Marc Canter says that single sign-on is good, but “we need the attribute exchange to make this thing really take off.”

Then all the skeptics will realize that the authentication layer HAD to come first – but was just a first step. Along the way we’ll figure out standards for user intrerface and usage flow.

But for now – the critics are right – OpenID as it stands right now is just authentication and that ain’t gonna rock nobodies world – except for Bard Fitzpatrick’s world – I guess.

It’s been a long time since I said identity management is the next big thing (and many of the names have changed since), but I stand by it. I also stand by the suggestion that blogs — user-driven technology — will drive it.

, attribute exchange, identity management, idm, libraries, marc canter, openid

Ryan gave me the drop on this presentation by Dave Chiu and Didier Hilhorst where they do an amusingly effective job of explaining the concept of reputation management. It all went down at the conclusion of the Applied Dreams 2.2 project at Interaction Design Institute Ivrea in Milano.

The project brief begins:

Our identities are changing due to our constant exposure to enabling technologies.

Our old physical identities, fixed to a house, an address, a tax number, private, detached, individual, introvert, seem increasingly at odds with our new electronic identities, mobile, self-published, publicly exposed, extrovert, shared, accessible, communal.

Simultaneously, an interconnection between individuals, commercial and authority is leading to the increasing relevance of self-organising, temporary socio-spatial communities and to the creation of micro-economies.

Dave Chiu, Didier Hilhorst, RentAThing, applied dreams 2.2, identity, identity management, idm, presentation, reputation, reputation management

(note: the following is cross-posted at Identity Future.)

Being that good software — the social software that’s nearly synonymous with Web 2.0 — is stuff that gets you laid, where does that leave IdM?

Danah Boyd might not have been thinking about it in exactly those terms, but her approach is uniquely social-centered. She proposes “SecureId”

What is SecureId? SecureId is a program that helps you protect and control your digital identity by allowing you to determine who can access your private information. By allowing you to articulate your digital contexts based on facets of your identity, SecureId provides the framework for you to properly relate identity information and people with contexts, thereby giving you the ability to portray yourself properly. SecureId uses a knowledge-based security system to help you manage access to various facets of your identity. By presenting you with a portrait of your digital identity, SecureId also gives you a virtual mirror to your social performance.

Reading further, she implores us to “imagine that you are in control of your digital identity.”

The information you give out on a daily basis is quite context dependent. While you might give your medical history to your doctor, would you give it to a random stranger? Does your language differ between work, the pub and at home with your 3-year-old? What about your clothing? Not only do you make different decisions based on the level of trust you have, but also based on what is socially appropriate. Speaking to your boss like you speak to your child might be both inappropriate and offensive. Do you have different groups of friends, family and associations that may or may not interact with one another? What roles do you play in your life and how do aspects of your character change when you are in these different roles?

SecureId offers you an interactive visual landscape for articulating your identity facets and associating appropriate data with them. Through this mechanism, you can quickly see who has access to what aspects of your self. By presenting you with a portrait of your digital identity, SecureId also gives you a virtual mirror to your social performance, an awareness that is taken for granted in the physical world.

context dependent identity, danah boyd, identity management, idm, social, social aspects, social context, social identity, social idm, social interaction, social networks, social software

A tip from Ryan sent me looking at MicroID:

a new Identity layer to the web and Microformats that allows anyone to simply claim verifiable ownership over their own pages and content hosted anywhere.

The idea is to hash a user’s email address (or other identifier) with the name of the site it will be published on, giving a string that can be inserted — in true Microformats style — as an element of the html on the site.

Examples:

To verify a user’s home page or ownership of any page:

<head>... <meta name=“microid” content=“a9993e364706816aba3e25717850c26c9cd0d89d” /> ... </head>

To verify a user’s membership in (or content/microformat published on) any (trusted) 3rd party site:

<div class=“agent vcard microid-a9993e364706816aba3e25717850c26c9cd0d89d”>
<a class=“email fn” href=“mailto:jfriday@host.com”>Joe Friday</a>
<div class=“tel”>+1-919-555-7878</div>
<div class=“title”>Area Administrator, Assistant</div>
</div>

To validate a user’s feedback or reputation on any moderated system (slashdot, digg, etc):

<span class=“score microid-a9993e364706816aba3e25717850c26c9cd0d89d”>5</span>

I’ve gotta admit that it seems too simple to work and I’m gonna have to think about this a while.

Once this [MicroID] is published via one of the number of different ways or as part of a microformat on any page or site, they appear as opaque strings, but unique to a particular ID on that site. When the owner of the communication identifier forms a relationship with a new site, and (critical) that new site validates the communication identifier, they can then immediately validate the MicroID published on any other site for that given communication identifier.

MicroID also allows any third party to crawl and index these microformats and provide a web service that may return a weighted response (for reputations), list of references, etc. This index is anonymous and queries into it may simply provide the hashed version of a validated user-provided communication identifier.

While it may seem that spoofing would be an issue due to the nature of using communication idenitifers and how widely they are sometimes shared or published, the assertion of ownership must always originate from the owner, the MicroID simply allows anyone to validate that relationship very simply.

identity, identity architecture, identity assertion, identity management, identity verification, idm, microformats, microid, identity, identity architecture, identity assertion, identity management, identity verification, idm, microformats, microid

Troy expressed both great amusement and trepidation in his message alerting me to Riya, a new photo sharing site:

I don’t know whether to say cool, or zool.

The tour explains that you upload photos, Riya identifies faces in your photos, then asks you to name them (or correct its guesses!). Then you get all your friends to join up and we can all search for everybody by people, location, and time. So say “hi” to Andrejs and Nora in Normunds‘ photo, above.

So the good news is that there’s a chance that you’ll be able to use this to reconnect with that interesting someone you hooked up with the other night, but the mixed news is he or she may be able to find you — not so great if you instead hoped to disappear anonymously.

And all of this connects to my old chorus: identity is reputation. It’s too early for me to judge how this will effect our lives — well, my life anyway — but 2006 is now the year that facial recognition emerged from the dark halls of law enforcement and counter-terrorism and started greeting us on the street.

That foolish face you made in the background of some unknown tourists photo might be tracked. But is that really so bad? Sure, it might lead to embarrassing explanations, but it might also lead to new connections. Stealing the words of a friend, we seem to enjoy gossamer stories of lives barely touching, and maybe we’ll appreciate the opportunity to occasionally find or be found by the anonymous people who fill the blurry edges of our pictures.

I’m betting we’ll become aware of our social identities, our electronically tracked reputations, and we’ll start to act with some greater consciousness of them. Many bloggers are already familiar with this, sometimes painfully. Our notions of privacy and anonymity will certainly change, but we’re unlikely to be able to stuff this genie back in the bottle. And I’m not yet sure we’ll want to.

anonymity, brave new world, face, face recognition, facial recognition, fear, identity, identity is reputation, idm, photo sharing, privacy, recognition, reputation, riya, six degrees, social software, spy, spying, Spytech, surveillance, tracking, zool

Josh Porter and Alex Barnett got Dick Hardt and Kim Cameron on the line to talk about Identity Management. The result is available as a podcast.

I should add that Josh and Alex are big on the attention economy and social software, so they’re asking questions about how IdM works in those contexts. Most people thinking about IdM today seem to be thinking about its uses in the enterprise or in education, but when I say identity management is the next big thing, I mean it in the social context that Josh and Alex are rooted in.

Alex’s notes:

• What are the biggest problems we need to solve for online identity?
   
• The paradox of silos and a single solution
   
• The Laws of Identity and the Sxip protocols
   
• Consistent user experience
   
• Read / Write identity and Attention Data
   
• Separating identity establishment & management and attention & transactional data management
   
• Trading attention data
   
• Attention data and reputational data
   
• Sxore and Blog comment spam and trackbacks are an identity problem
   
• Attention data maintenance
   
• Personally Identifying Information – PII data maintenance
   
• How would ecommerce sites make use of Attention data?
   
• Enterprise-level privacy
   
• Haven’t already we lost our privacy?
   

It’s going on my iPod now.

idm, identity management, identity 2.0, identity20, dick hardt, kim cameron, josh porter, alex barnett, attention economy, social software

I said “identity management is the next big thing” back in September. That was before I’d seen Sxip founder Dick Hardt’s presentation on Identity 2.0. Zach peeped me the link and told me I wouldn’t regret watching the presentation. He was right. Everybody, especially the people who don’t yet care about identity management, should take a look.
authentication, authorization, dick hardt, identity, identity 2.0, identity 20, identity management, identity2.0, identity20, idm, sxip

I might be overstating it, but Identity Management is the next big thing for the open source community to tackle. That’s why I like Sxip, even though I know so little about it.

There are a number of other solutions stewing, but most of those that I’m aware of are targeted at academic and enterprise users. Wouldn’t it be nice to have some federated system of identity management among blogs?

Yes, IdM is the next big thing, but as an infrastructural technology, it will be invisible when it works.

Here’s another link: The Identity Initiative : iname, FreeID, LID, SXIP, What’s Your Favorite Emerging Digital Identity?

tags: community idm system, community, digital identity, federated, federated identity management, federated system, identity, identity management, idm, open source, open source community