Deutsche Telekom hasn't hesitated in adopting the newly minted OpenID Connect protocol as part of a cutting edge strategy to simplify its identity management infrastructure, improve mobile log-ins and move toward the next generation of access controls.
A year ahead of Connect's final approval, which came Wednesday, the company began implementing the Connect authentication protocol to provide a single sign-on experience for end-users and an elegant architecture that eases partner integrations.
As the largest mobile and fixed line operator in Germany, Deutsche Telekom seeks out simplicity and security in connecting and integrating its giant ecosystem of partners, services and customers. Connect is now a centerpiece of federating single sign-on connections, according to Torsten Lodderstedt, senior product owner for identity management at Deutsche Telekom.
"We want it as simple as possible to integrate with our partners," said Lodderstedt. "And this protocol is dead simple."
Lodderstedt is responsible for maintaining the identity management system that anchors the company's entire slate of consumer services in the German market and says, "our philosophy is to implement services in-house and to integrate partner services."
The company is nearing the completion of migrating its largest consumer service over to Connect and as of December all of its new partner connections run on Connect.
From the outside looking in, once a user signs on with their Deutsche Telekom credentials, either with the mobile operator or a partner service, they are able to use any of the services they have in the ecosystem without having to log-in again.
Deutsche Telekom acts as the identity provider, issuing and validating credentials, and the partners don't need to maintain and store separate usernames and passwords for their customers.
Today, Connect supports mainly consumer services and a few business services, but the protocol provides the capabilities to handle log-ins to more sensitive data and resources offered by Deutsche Telekom.
The company's identity infrastructure started with a proprietary protocol over 10 years ago, tried Liberty Alliance to solve some pressing identity issues and then adopted OpenID 2.0 and transferred to OAuth 2.0 to access applications and third-party APIs. The company eventually adopted OAuth 2.0 as its main integration protocol. OpenID 2.0 will be eliminated entirely in the next 12-24 months.
"The main reason to switch to OpenID Connect was the simplicity of integration with OAuth 2.0," said Lodderstedt. "The second point is that previously we used two protocols, OpenID 2.0 for identity and OAuth 2.0 for access authorization. And guess what, OpenID Connect can do both with the same protocol."
The OpenID Connect protocol is built on the Internet Engineering Task Force's OAuth 2.0 framework.
In addition, Connect is well suited for sign-in to mobile application, an important improvement over OpenID 2.0.
Lodderstedt says the focus on easing integrations comes from the fact that most developers and partners aren't identity management experts. In response, Deutsche Telekom is simplifying its protocols.
In addition, he said given that Connect can handle many use cases the time it takes to educate partners on the technology has been reduced dramatically. Today, those partners establish themselves as a relying party in the authentication process.
"We have put [Connect] under intense load and performance testing and the throughput surprised us," said Lodderstedt. "OpenID Connect does not limit the scalability of our apps."
Now the goal is one of awareness, not just within the Deutsche Telekom ecosystem but also around OpenID Connect's ability to support a model where a few trusted identity providers can maintain an identity layer on the Internet.
"There are only a few large identity providers (IdPs) but because now we have a standard protocol more organizations can take on that role," said Lodderstedt.
He hopes web site operators and service providers can be convinced to use third-party log-ins. "These would come from an IdP they trust instead of maintaining their own credentials."
"To really have trustworthy identity providers that know how to do the job and integrate that with your favorite web site for log-ins, that is the benefit and it improves the overall security of the Internet," he said.