As both team and customer base grows, the pain of maintaining meta-data about customers and solutions follows. A quite common way to do this, which I have implemented and been the victim of, is to store all details in a wiki, CRM or issue system, not to mention word documents and version control systems. This has quite a few drawbacks, one being maintenance. Plus this means that everyone has access to everything - including hired guns. I have yet to see a wiki with rights implemented from AD or similar - they sure can, but who does? In addition, is it ok for the customer that we store logins to their systems this way?
We can get around this by implementing an authentication provided ala OpenID, Oauth, WIF etc. against your own authentication source. Think facebook connect but replace facebook with your internal system.
Here is the steps involved in this process:
- Open authentication url at customers site.
- Customers server initiate authentication session directly with your server
- Server redirects browser to your server with a key and authenticates on your domain with their normal username and password.
- Upon successful authentication the user is redirected back from your own server to the customer with a new key.
- Customers server verifies successful authentication with your server using the key pair.
Session is authenticated on the customer server as needed.
This is pretty close to a normal OpenAuth connect, see the image below from http:/:/oauth.net. It is nothing new or revolutionary, it is merely and adoption of a common technique to a different domain.
Besides making our own life easier this means that we can control access to customer sites using rights on our own authentication provider. Most importantly, we do not store username and password for customer site.
Unsafe? If you ask me, it is a lot better than having usernames and password lying around. The unsafe link here is the authentication server, but it is a lot easier to take this server offline than to call numerous customers and tell them to change passwords as your wiki was hacked. Also, this method makes it really easy for us to log when anyone has accessed a customer site or even add 2 factor authentication by text messaging.
So again, why is this important for the customer? Not only do you have a supplier that invests in increased productivity, but ask yourself - would you work with a company that takes this amount of care or someone who stores username and passwords in a word document?
Finally, do you even know how your suppliers store access information to your systems?