OneID enterprise provisioning

Provisioning without using a shared secret

OneID allows you to easily bring a secure trustable identity to your enterprise.

The RP asks for the email address on login and matches up the email address (certified by OneID as belonging to the user) on first login with email addresses in a provisioning file, then uses the public keys for all future logins. That way, if the user's email changes, it doesn't matter, he can still log in. This avoids having to issue usernames and passwords to provision users.

You can ask the user for his OneID friendlyname or number. Then use the OneID certification to match up to a database of friendlyname/number, and then remove the database entry and store the UID and public keys for future use.

Provisioning with a shared secret

You can also give out usernames and passwords, and require user to use these for first time login after hitting the OneID login button. This is convenient if the user already has a legacy username and password. then subsequent logins won't prompt for a username/pwd.

RBAC credentials

For RBAC, there are a number of options:

  1. You leverage an existing AD/LDAP database with RBAC information by linking to what is there (e.g., using the email address or a username/password to link it up). This is the most straightforward approach. So when you first login, you link to a legacy identity with say a username and password typed one last time. Then it just leverages the legacy identity RBAC info
  2. Create a separate LDAP database keyed by the OneiD identifier.
  3. You insert into the user’s OneID a signed certificate with the RBAC information. The certificate is tied to a public key of the user so it isn't just a bearer assertion. You'd have to check for revocation however.
  4. Do #3, but do it with a real time challenge. No revocation issues since it is real-time. You basically ask the OneID user for his attributes (or challenge him with a boolean) that must be signed by an authority that you trust.
  5. Use Dell’s XACML product which will soon support OneID. Because we’re pre-integrated, it’s no work for you.