During one of the hospitality parties at the Burton Group's Catalyst conference I came across the SXIP folks showing their cool new application service “outsourcing appliance” that lets enterprises outsource HR or mail and calendar to companies like Salesforce.com and Google. When employees are inside the firewall, they can just leverage Active Directory or some other LDAP server or authentication system to automatically create a SAML token that will log them into the service.
One of the requirements SXIP has encountered is for employees to be able to securely access these resources from their homes and hotel rooms without introducing the risk of password leaking.
After all, most companies don't want employees revealing their enterprise username and password to service suppliers – but also don't want to support a separate username/password outside the firewall… SXIP's solution: use Information Cards. It's a very simple and nice solution.
While looking at what they've done, I met David Huska, the incredibly fast and energetic engineering guy behind the project. He started telling me about CardSpace and his mother, and I could see he had a great potential CardSpace “elevator pitch” – meaning a way to explain a technology while riding an elevator up a few stories. So I cut him off, pulled out my phone, and asked him to start again. Here's what he said:
Kim: So you were talking about your mother…
Dave: What were you saying about my mother, Kim? Were you talking about my mother?
Kim: I love your mother.
Dave: Alright. CardSpace is an analogy my mother gets. She doesn't understand what I do in a million years, but CardSpace she gets. She sees the cards. Everything else stops. Everything goes away. She can't do anything else until she chooses a card.
When she pulls our her purse, she sees her cards. And with CardSpace, she sees her cards. She can see what card they want from her. She can see the information they're looking for from her. She can decide what she wants to use, or not – what she wants to approve or not.
It's like being in the supermarket. She can decide which card she wants to give – and if she wants to. It makes sense for her. It's simple. Its a clean UI. It's well done.
Kim: (Referring to SXIP's cool new system – that supports Information Cards.) So has your mother actually seen this?
Dave: Yes, she's seen it running on my test machine. She said, “Oh this is what you do. I finally get it.” And I had to say, “Well, this isn't exactly what I do – it's what another company does.” But you got her closer to understanding what I do than just about anything else I've ever shown her. So thank you.
Dave is great – and I love his mother too. Any thanks should be directed to all the people on the CardSpace team who did all the work and refinement and threat modelling and studies, and who are coming out with a nice update in the very near future.