Identifier or Attribute Provider

From MgmtWiki
Revision as of 21:21, 25 August 2019 by Tom (talk | contribs) (Social IdPs)

Jump to: navigation, search

Full Title or Meme

Provides service to users to authenticate the user's identifiers or attributes for Relying Parties.


  • This term (IAP) is used in place of Identity Provider (IdP) on this wiki to be clear about the full range of function of the service provided.
  • This term would encompass the concept of an OpenID Connect Provider (OP) role among other roles, like that of an Attribute Provider.


It costs a great deal of money for the operation and maintenance of any provider. Besides that, there is the very real risk of being sued by any number of individuals or governments capable of enforcing huge costs. At the same time the users have become accustomed to get any service provided at no cost on the internet. This means that any successful provider will have a business model that provides a significant cash flow, or sovereign immunity from prosecution.

Social IdPs

A number of very successful businesses host "Identifier Providers" (IdPs) as a part of their effort to reach a large number of consumers of goods or services. The most well known in the West are Microsoft, Google and Facebook. The services and federated sign in capability that they provide is very attractive and reduces the Cognitive Overload caused by the large number of sites where the user has registered. Previous to social sign-in, each had their own user name and password. But there is a potentially large cost to users who rely on these social IdPs, the risk of losing an identity that is important in their daily lives if that site should disable the account for any reason it might choose.

All of the large social IdPs are now subject to intensive social and governmental pressures to limit socially obnoxious behaviors like "hate speech" or incitement to violence. Their response has been to impose blockages of the user' account for period varying from 1 day to lifetime. If the user has entrusted that IdP with access to a significant part of their Web Site access control, the lost access can put them "out-of-business" on the web. And the real problem is that this can happen through no action of their own. If anyone has every had their account at one of these sites compromised by a hacker, the will understand that the effort to regain access can be long and grueling with the possibility of requiring the user to "fax" them some corroborative evidence of ownership, such as a driver's license. Something that the attacker is all too willing to provide to gain access to accounts that have some value to them. Losing one's identity in real-life does happen, but very rarely. On the internet it is a daily occurrence for a surprising large number of hapless victims.

The one bit of advice to offer is to select a social network that is least likely to be pressured into stopping access to your Identifier. In the middle of 2018 Facebook was facing the most pressure to disable accounts for hate speech and inciting violence. Their response was to delete a large number of "fake" accounts. If any resources had been bound to those accounts, access would have been lost. The pressures continuing into 2019 for Facebook to "clean up their act" has led to numerous legitimate users being deleted with not real way to recover access to their accounts or any resources that may have be linked to those accounts.<ref>Kashmir Hill, Locked out by Facebook, and pounding on the Door. (2019-08-25) The New York Times p. B5</re>