Identity User Experience (UX) Summit on October 20th

We'll have the summit at the main Yahoo Campus in Sunnyvale on Monday, Oct 20th, from 10am-5pm.

Directions:
701 First Ave, Sunnyvale, CA 94089
We will be in Building E which is across the street (directly opposite the the guard shack) from the main cluster of Yahoo buildings. We will have guest WiFi this time.
We'll be meeting in Classroom 8 in Building E.  Be sure to tell the receptionist in the Building E lobby that you're here for the OpenID Summit, and that you want to go to classroom 8.

Attendees
Confirmed [42 people - NOTE: The room is going to be cramped, so please hold off asking us to add other people]
AOL: Edwin Aoki (AOL Technology Fellow), Alberto Cobas (System Architect), but not George Fletcher
Amazon: Praveen Alavilli (formerly of AOL)
MySpace: Max Engel + 2 others
Yahoo: Allen Tom, Bryce Glass (Interaction Design), Sabari Devadoss (Product Management), Naveen Agarwal (Director of Engineering, Yahoo Membership), Aanchal Gupta (Sr. Engineering Manager, Yahoo Membership), Eran Hammer-Lahav (Yahoo Open Web Evangelist)
Google: Eric Sachs, Yariv Adan, Jonathan Yu (User Experience), Dirk Balfanz (Engineering)
Janrain: Brian Ellin, Michael Graves ( + Brian Kissel in the morning)
Plaxo/Comcast: Joseph Smarr, John McCrea, Pete Curley, Ryan King
Vidoop: Chris Messina, Michael Richardson, Will Norris
chi.mp: Tony Haile, Josh Porter
Microsoft: Mike Jones, Jorgen Thelin
Sxip: Dick Hardt
Netmesh: Johannes Ernst (also with the OpenID Foundation)
LinkedIn: Steve Ganz
Facebook: Mike Vernal (engineer), Julie Zhou (designer), Josh Elman (partner management), Dave Morin (product marketing), Christina Holsberry (user experience testing)
ZoHo: Raju
Liberty/Internet2: Nate Klingenstein
Verisign: Gary Krall
Independent: Erin Malone (Former UED Director for Yahoo (and AOL) and she's writing a book on UI Design Patterns)
Magnolia: Larry Halff

Probably not:
Vidoop: Scott Kveton <kveton@vidoop.com>
Plaxo: John McCrea <john@plaxo.com>
MySpace: Allen Hurff <allen@myspace.com>
Janrain: Michael Graves <mgraves@janrain.com>, Larry Drebes <ltd@janrain.com>
Sixapart: David Recordon
Yahoo: Havi Hoffman <havi@yahoo-inc.com>, Stacy Milman <smilman@yahoo-inc.com>, 


10am-11am: Introductions
11am-12:30pm: RPs with a small set of trusted IDPs - Max from MySpace's presentation + Mike/Julie from facebook
UX of IDP/SP (Consider simple case of RPs with no legacy login system)
Use Case 4- RP extends the APIs of a single OAuth SP, and wants that SP to also provide identity (MySpace, Google Health, Flickr, etc.) - MySpace/Facebook/Yahoo/Google all have similar UIs for this scenario
UX of RP (Trickier example of RPs with an existing legacy login system)
5- RP is picnik.com and they support multiple OAuth SPs - How would we suggest they modify their sign-in process if we improve our IDP offerings?
6- RP extends the API of a few OpenSocial containers, and wants those SPs to also provide identity (MySpace, Hi5, orkut, Yahoo, etc.) - Pros/cons of the "one button per IDP" vs. picnik.com style mix
12:30pm-1pm: Get food, bring back to desks

1pm-2pm: UX of IDPs for federated login - Presentation by Allen Tom from Yahoo (Yahoo/Google/AOL and others all have similar UIs for this scenario)
2pm-3pm: UX of RPs for federated login (For RPs who want to trust a large number of IDPs purely for login purposes) - Presentation by Eric Sachs from Google

Use Case 7- RP is a SaaS vendor with a large selection of companies as customers, and some want to run their own IDP (RP example is salesforce.com, ADP, GoogleAppsForYouDomain) - Google has shared some recent research
Use Case 8- RP is an E-commerce site trying to increase the % of their users who finish the account creation process - Also covered by Google's research
Use Case 9- RP is a magazine/newspaper with a need for the lightest weight authentication mechanism as possible for their subscription customers - Main discussion topic at the OpenID meeting in New York
3pm-4pm: Detailed group discussion of UX guidelines for RPs for federated login.  Potential side topics or breakouts include:
Single sign-OUT
IDP hints via the browser
Mixing buttons with E-mail
RPs who want to minimize the PII they have about a user
E-mail as just another OAuth service
Rich-client apps and federated login
StrongAuth and portability
Trusted whitelists of IDPs
IDP as an outsourced service (migrating to/from service providers)
4pm-4:30pm: Summarize our notes from the day
4:30-5pm: Identify key use cases that still need discussion, identify methods for followup (such as IIW)

Extra Topics (if we have time)
E-mail validation (no login) - Yariv from Google & Max from MySpace will lead
Use Case 3- RP wants to validate ownership of an E-mail address from the same OP that operates that E-mail domain (Gmail, Yahoomail, AOLmail, etc.) - Popular topic at the OpenID meeting in New York
Use Case 3b-Same as #3, but OP does NOT operated that E-mail domain.
Blog commenting (no login), include UI for IDPs who don't have public URLs for all users - Allen Tom lead
Use Case 1- RP wants to get a URL assertion from an OP that provides a public URL to everyone (MySpace, Blogger, etc.) - Reasonable standards exists
Use Case 2- RP wants to get a URL assertion from an OP that provides an option for all their users to have a public URL (Google Accounts, Yahoo, etc.) - Yahoo has shared some recent research




Use Cases:
1- RP wants to get a URL assertion from an OP that provides a public URL to everyone (MySpace, Blogger, etc.) - Reasonable standards exists
2- RP wants to get a URL assertion from an OP that provides an option for all their users to have a public URL (Google Accounts, Yahoo, etc.) - Yahoo has shared some recent research
3- RP wants to validate ownership of an E-mail address from the same OP that operates that E-mail domain (Gmail, Yahoomail, AOLmail, etc.) - Popular topic at the OpenID meeting in New York
3b-Same as #3, but OP does NOT operated that E-mail domain.
4- RP extends the APIs of a single OAuth SP, and wants that SP to also provide identity (MySpace, Google Health, Flickr, etc.) - MySpace has shared their early UI, Google can share theirs
5- RP is picnik.com and they support multiple OAuth SPs - How would we suggest they modify their sign-in process if we improve our IDP offerings?
6- RP extends the API of a few OpenSocial containers, and wants those SPs to also provide identity (MySpace, Hi5, orkut, Yahoo, etc.) - Pros/cons of the "one button per IDP" vs. picnik.com style mix
7- RP is a SaaS vendor with a large selection of companies as customers, and some want to run their own IDP (RP example is salesforce.com, ADP, GoogleAppsForYouDomain) - Google has shared some recent research
8- RP is an E-commerce site trying to increase the % of their users who finish the account creation process - Also covered by Google's research
9- RP is a magazine/newspaper with a need for the lightest weight authentication mechanism as possible for their subscription customers - Main discussion topic at the OpenID meeting in New York
10- RP is an existing website that wants to add more social features such as posting to activity streams - Could just use OAuth, but MySpace & some other OpenSocial containers have thought about a more integrated experience with an IDP
11- An RP wants to trust a single RP who will act as an intermediary to multiple IDPs, however in the UI the user will probably see the target RP & intermediary RP as a single entity.
11-RP wants to delegate the OpenID Relying Party portion of the protocol to a "trusted" service
12-OAuth SP wants to let users give another website the right to issue OAuth tokens that will be accepted by the first SP


Comments