Identity User Experience (UX) Summit on October 20th

We'll have the summit at the main Yahoo Campus in Sunnyvale on Monday, Oct 20th, from 10am-5pm.

Directions:

701 First Ave, Sunnyvale, CA 94089

We will be in Building E which is across the street (directly opposite the the guard shack) from the main cluster of Yahoo buildings. We will have guest WiFi this time.

Directions can be found here: http://yhoo.client.shareholder.com/press/address.cfm

We'll be meeting in Classroom 8 in Building E. Be sure to tell the receptionist in the Building E lobby that you're here for the OpenID Summit, and that you want to go to classroom 8.

Attendees

Confirmed [42 people - NOTE: The room is going to be cramped, so please hold off asking us to add other people]

AOL: Edwin Aoki (AOL Technology Fellow), Alberto Cobas (System Architect), but not George Fletcher

Amazon: Praveen Alavilli (formerly of AOL)

MySpace: Max Engel + 2 others

Yahoo: Allen Tom, Bryce Glass (Interaction Design), Sabari Devadoss (Product Management), Naveen Agarwal (Director of Engineering, Yahoo Membership), Aanchal Gupta (Sr. Engineering Manager, Yahoo Membership), Eran Hammer-Lahav (Yahoo Open Web Evangelist)

Google: Eric Sachs, Yariv Adan, Jonathan Yu (User Experience), Dirk Balfanz (Engineering)

Janrain: Brian Ellin, Michael Graves ( + Brian Kissel in the morning)

Plaxo/Comcast: Joseph Smarr, John McCrea, Pete Curley, Ryan King

Vidoop: Chris Messina, Michael Richardson, Will Norris

chi.mp: Tony Haile, Josh Porter

Microsoft: Mike Jones, Jorgen Thelin

Sxip: Dick Hardt

Netmesh: Johannes Ernst (also with the OpenID Foundation)

LinkedIn: Steve Ganz

Facebook: Mike Vernal (engineer), Julie Zhou (designer), Josh Elman (partner management), Dave Morin (product marketing), Christina Holsberry (user experience testing)

ZoHo: Raju

Liberty/Internet2: Nate Klingenstein

Verisign: Gary Krall

Independent: Erin Malone (Former UED Director for Yahoo (and AOL) and she's writing a book on UI Design Patterns)

Magnolia: Larry Halff

Probably not:

Vidoop: Scott Kveton <kveton@vidoop.com>

Plaxo: John McCrea <john@plaxo.com>

MySpace: Allen Hurff <allen@myspace.com>

Janrain: Michael Graves <mgraves@janrain.com>, Larry Drebes <ltd@janrain.com>

Sixapart: David Recordon

Yahoo: Havi Hoffman <havi@yahoo-inc.com>, Stacy Milman <smilman@yahoo-inc.com>,

10am-11am: Introductions

11am-12:30pm: RPs with a small set of trusted IDPs - Max from MySpace's presentation + Mike/Julie from facebook

UX of IDP/SP (Consider simple case of RPs with no legacy login system)

Use Case 4- RP extends the APIs of a single OAuth SP, and wants that SP to also provide identity (MySpace, Google Health, Flickr, etc.) - MySpace/Facebook/Yahoo/Google all have similar UIs for this scenario

UX of RP (Trickier example of RPs with an existing legacy login system)

5- RP is picnik.com and they support multiple OAuth SPs - How would we suggest they modify their sign-in process if we improve our IDP offerings?

6- RP extends the API of a few OpenSocial containers, and wants those SPs to also provide identity (MySpace, Hi5, orkut, Yahoo, etc.) - Pros/cons of the "one button per IDP" vs. picnik.com style mix

12:30pm-1pm: Get food, bring back to desks

1pm-2pm: UX of IDPs for federated login - Presentation by Allen Tom from Yahoo (Yahoo/Google/AOL and others all have similar UIs for this scenario)

2pm-3pm: UX of RPs for federated login (For RPs who want to trust a large number of IDPs purely for login purposes) - Presentation by Eric Sachs from Google

Use Case 7- RP is a SaaS vendor with a large selection of companies as customers, and some want to run their own IDP (RP example is salesforce.com, ADP, GoogleAppsForYouDomain) - Google has shared some recent research

Use Case 8- RP is an E-commerce site trying to increase the % of their users who finish the account creation process - Also covered by Google's research

Use Case 9- RP is a magazine/newspaper with a need for the lightest weight authentication mechanism as possible for their subscription customers - Main discussion topic at the OpenID meeting in New York

3pm-4pm: Detailed group discussion of UX guidelines for RPs for federated login. Potential side topics or breakouts include:

Single sign-OUT

IDP hints via the browser

Mixing buttons with E-mail

RPs who want to minimize the PII they have about a user

E-mail as just another OAuth service

Rich-client apps and federated login

StrongAuth and portability

Trusted whitelists of IDPs

IDP as an outsourced service (migrating to/from service providers)

4pm-4:30pm: Summarize our notes from the day

4:30-5pm: Identify key use cases that still need discussion, identify methods for followup (such as IIW)

Extra Topics (if we have time)

E-mail validation (no login) - Yariv from Google & Max from MySpace will lead

Use Case 3- RP wants to validate ownership of an E-mail address from the same OP that operates that E-mail domain (Gmail, Yahoomail, AOLmail, etc.) - Popular topic at the OpenID meeting in New York

Use Case 3b-Same as #3, but OP does NOT operated that E-mail domain.

Blog commenting (no login), include UI for IDPs who don't have public URLs for all users - Allen Tom lead

Use Case 1- RP wants to get a URL assertion from an OP that provides a public URL to everyone (MySpace, Blogger, etc.) - Reasonable standards exists

Use Case 2- RP wants to get a URL assertion from an OP that provides an option for all their users to have a public URL (Google Accounts, Yahoo, etc.) - Yahoo has shared some recent research

Use Cases:

1- RP wants to get a URL assertion from an OP that provides a public URL to everyone (MySpace, Blogger, etc.) - Reasonable standards exists

2- RP wants to get a URL assertion from an OP that provides an option for all their users to have a public URL (Google Accounts, Yahoo, etc.) - Yahoo has shared some recent research

3- RP wants to validate ownership of an E-mail address from the same OP that operates that E-mail domain (Gmail, Yahoomail, AOLmail, etc.) - Popular topic at the OpenID meeting in New York

3b-Same as #3, but OP does NOT operated that E-mail domain.

4- RP extends the APIs of a single OAuth SP, and wants that SP to also provide identity (MySpace, Google Health, Flickr, etc.) - MySpace has shared their early UI, Google can share theirs

5- RP is picnik.com and they support multiple OAuth SPs - How would we suggest they modify their sign-in process if we improve our IDP offerings?

6- RP extends the API of a few OpenSocial containers, and wants those SPs to also provide identity (MySpace, Hi5, orkut, Yahoo, etc.) - Pros/cons of the "one button per IDP" vs. picnik.com style mix

7- RP is a SaaS vendor with a large selection of companies as customers, and some want to run their own IDP (RP example is salesforce.com, ADP, GoogleAppsForYouDomain) - Google has shared some recent research

8- RP is an E-commerce site trying to increase the % of their users who finish the account creation process - Also covered by Google's research

9- RP is a magazine/newspaper with a need for the lightest weight authentication mechanism as possible for their subscription customers - Main discussion topic at the OpenID meeting in New York

10- RP is an existing website that wants to add more social features such as posting to activity streams - Could just use OAuth, but MySpace & some other OpenSocial containers have thought about a more integrated experience with an IDP

11- An RP wants to trust a single RP who will act as an intermediary to multiple IDPs, however in the UI the user will probably see the target RP & intermediary RP as a single entity.

11-RP wants to delegate the OpenID Relying Party portion of the protocol to a "trusted" service

12-OAuth SP wants to let users give another website the right to issue OAuth tokens that will be accepted by the first SP