OpenID for B2B websites

About OpenIDopenid-logo-wordmark

OpenID provides a mechanism by which a user may be authenticated by using a third party. This means the site consuming the Open ID does not have to maintain tables with user ID and password hashes (although providing parallel support is advisable). When a user chooses to login, they are redirected to the third party site, Google for instance, in order to authenticate themselves and come back to the originating site on a call back URL. Similar to the way card payment providers send the browser to the bank to enter the verified by Visa or Mastercard secure code authentication. The call back will contain a valid authentication token if the authentication was a success. The newer versions of Open ID also allow details of the user stored by the third party to be retrieved from their profile. Details such as email address may be requested or required to be sent. This information may then be used to pre-fill registration forms or wipe out the need for registration forms in extreme examples.

Most internet users already have an Open ID, even though most don’t know it. This is courtesy of large internet players such as Google and Yahoo. Account holders on these services and many others automatically create an Open ID for users. The appeal of OpenID to the website owner is that the user will find it easy to authenticate themselves with a registration process that is minimised or eliminated. The attraction to the user is that they finally do not have to manage hundreds of passwords for all the sites they visit because everyone uses a unique password every time -right?

Implementing OpenIDOpenID Selector Login Icons

I considered OpenID a while back but dismissed it as too geeky for a mainstream eCommerce site to use. The integration was painful at the time and the user experience was poor. Now times have moved on and there are libraries that can be included in a project that provide for easy integration of OpenID such as DotNet OpenAuth. There are also javascript projects that address some of the clunky user interface issues experienced in the early days. They present the OpenID login as familiar service icons, see Openid Selector Project. There are variants that give graphical drop down boxes for the available services too.

Using OpenID for B2B

I am in no doubt that for consumer sites such as Kmartin the US and for personal sites like blogs. they can benefit from allowing users to login using OpenID. The question is should we use OpenID today for a business to business website? It is appealing that people can click on familiar Facebook or Google icons to login to the site but the fear is that by doing so, all too often the captured identity of the person would be domestic, not their professional work identity.

As time goes on the way identities are managed by individuals may converge but at the moment there is too much risk of fragmenting database marketing activity data with these  personal profiles. It is not unreasonable to think that a customer logging into a site with Facebook will end up, through ignorance, providing their home account details. Domestic email addresses are an inappropriate channel to communicate with them through for order confirmations, marketing initiatives, etc.

Is there no work around?

Perhaps when a new OpenID is authenticated and comes back into the site we could ask if the email address of the OpenID is the same email address they want to correspond with us on and allow the user to add a correspondence address. The only problem is that we have not authenticated against that address if they do this that sort of feels like a bad idea. Certainly this does not help us with say rules that automatically map domain names of email addresses to account numbers as we can not allow this person to place an order on an account for which we cannot guarantee they are authorised to do so. It would be interesting if readers have found ways to work around this issue.

Security concerns

A college raised the concern of what if the OpenID password is compromised by a key logger or similar? Would this make a site using OpenID open to fraud? It does, although in reality most people use the same passwords across most sites, thus the risk is not greatly increased, but it is certainly present. It is a concern and a better understanding of the risks before committing to any OpenID scheme would be required. There is a lack of awareness as to how important protecting these big portal logins is amongst the internet population. Many are not aware the amplitude of damage that may be caused by compromising, say a Google identity. Think of how many site could be accessed in that user’s name.

Another related question regards customers with many branch offices or larger teams of people. It is possible to for a suitably privileged user in that organisation to create and manage user accounts for their staff on our site for those other workers. OpenID would not change this as the association between an account created with an email address can be picked up when a user logs in as the OpenID provider will return an email address for the user logging in. This is assuming we have got the same email address as the OpenID provider, bit assumption given what we are saying about domestic logins earlier.


It is disappointing that we will not be implementing OpenID as it would clearly provide benefits to users that understand how to manage their identities in that framework. Unfortunately for B2B websites I don’t think the paradigm is well enough understood by the end users and hence confusion may ensue leading to long telephone support calls with customers.

It is reasonable to assume that non IT workers have not created the appropriate professional and domestic identities with the authenticating sites. One exception is Linkedin , promoted as a professional network here people are more likely to have set up accounts in the context of their employment. Unfortunately as far as I am aware Linkedin does not support OpenID yet.


Rebuild sort order after delete or insert of record

Using TSQL Ranking Function on a sort column

Where there is a sort column containing numbers from 1..n representing the order in which a list of items in the database should be displayed, you have problems managing the insert and delete of records. Insert needs the records to be moved up that are above the sort order of the item getting inserted. Delete will leave a hole in the sort order.

Here you may see how the TSQL Ranking and Partitioning functions helps out.


WITH TempNewsTable (NewSort,OriginalSort) AS
FROM dbo.NewsSummaries) 
UPDATE TempNewsTable 
SET OriginalSort=NewSort


Here the sort column is regenerated based on the existing sort order, any gaps will be filled in.

If we want to insert a record then a tweak will leave us a gap,

WITH TempNewsTable (NewSort,OriginalSort) AS
FROM dbo.NewsSummaries) 
UPDATE TempNewsTable 
SET OriginalSort=NewSort+1 
WHERE SortOrder >= @InsertedItemSortOrder

Where @InsertedItemSortOrder is the sort order of the item we are inserting. A whole is left for the new row to be inserted.

Update is similar again, make a hole for new item and renumber to close up the hole we leave by moving the sort order of the item we are editing.

Multiple settings files generated by custom tools

A day lost due to this problem

Whenever a custom tool runs in our solution it generates a second, third, fourth designer file. So for exampe, adding a new project setting, adding something in one of the datasets in the project.

So under settings node, show all files you end up with having edited three things;

This then causes compile errors as we have duplicate code generated.

  • Even creating a new project in the solution, the new project suffers the same problem.
  • The project is under source control, Team Foundation Server and Visual Studio is 2010, but I’ve seen this when it was the previous Visual Studio 2008.
  • Unbinding the project from source control after creating a new project means the project does not exhibit the problem.

Just like in this post;

Settings1.Designer.cs Bug: Multiple settings files

I’m ready for Netduino plus

More learning in my new role

My new role involves managing electronic, mechanical and software design and development for our group of companies. It has lead me to learn about writing software for “chips”.
We currently design and manufacture electronic hardware, these devices have standard analogue electronics and over the years they have increasingly incorporated microprocessors too. Commonly these are processors from the Microchip PIC, and some programmable logic controllers (PLCs) for faster video manipulation needs.


.NET Micro Framework.NET Micro Framework

For some time I have been aware of the .NET Microframework and have wanted to have a try of it, but without any good reason to, other emerging strands such as MVC, Entity Framework, WCF and more have taken priority. Thus now I find that the excuse is in place, dive in and see what it has to offer and importantly where it is appropriate in hardware development.

Microsoft .NET Micro Framework  is a cut down version of the full .NET framework ported to run on small processors. That said these “small” processors are more powerful than the ones I used to write my thesis on at university. Once programmed up, the chips can be embedded in larger hardware device designs. Our current hardware designs utilise Microchip PIC processors, programmed using C. The great leap we find is that the Micro Framework dumbs down the programming of microprocessors so that anyone who is experienced with C# can program a chip – really they can, it is that easy!

The performance suffers resulting in less grunt from the .NET processors, and yes there is much less choice on the .NET platform of microprocessors than the vast choices found in the Microchip PIC range. Also expect the PIC developer in the dev lab will turn their nose up at you, but we don’t care, we are used to being shunned as .NET developers. What it can happen, is skilled programmers from the enterprise development team may fulfil rapid prototyping requirements in the hardware domain. Indeed if the solution is a one off it may also be appropriate to produce the production hardware using this platform.


Good for rapid prototyping and hobbyists

I yet have to be convinced that .NET framework processors are appropriate for mass produced goods as they are relatively expensive compared to PIC alternatives. I can see that for niche products with small runs, the advantage in speed to market against the price of the processor may be something that is appealing for some projects. With about a £30 entry point for development boards it is great for the hobbyist to get started without the hurdle of great expense.



Anyone who has been to a Maker Faire will know the popularity of the Arduino boards for the hobby market. These small processor boards come in a standard factor that allows pre-made peripheral hardware devices, like displays, GPS receivers, infrared sensor to be plugged in, reducing skills and time to produce something fun. As the difficult task of electronic design is packaged up for you, more time can be made of the fun bits of the designing of software to run on it.

Netduino & Netduino Plus

Secret labs have produced a Arduino compatible board, a board that works with most of the plug in peripherals that the well established Arduino community enjoy. Named the Netduino, the board uses a processor that is programmed using the .NET Micro Framework. There are other similar Arduino compatible boards around, notably the FEZ Panda and Domino range that are slightly more powerful, but at a higher price. Perhaps not as attractive as a starting point. Remember we are in the hardware domain now, you may end up blowing these things up, leaving you with no option but buying a new one, reboot will bring things back to how they were. The development environment and process is very familiar. Start up your Visual Studio, download the SDK for .NET Micro Framework and the SDK for the board, reference them in code, then start programming. Use Visual Studio to deploy to the hardware board and enjoy your LED flashing or robot move!

A buzz is around at the moment (Nov. 2010), a new version of the Netduino is emerging from Beta, this adds much more to the basic board, such as TCP/IP natively on board & MicroSD slot, all without having to buy external peripherals. Considering most potential projects I think of for work and home require to be connected to the internet or corporate network, this is a great move! I am expecting delivery of mine before Christmas and I’ll bog a bit more when I have it.


and beyond

There is a port of the .NET Micro Framework for the Blackfin processor family, AxiDotNet so if you need to do some serious number crunching, for example video processing, go in that direction.

It is exciting that I get a chance to work on another .NET framework platform and will it will be interesting to see what I can do with it. I might even make a presentation for our local developer user group if I feel confident enough!

You might find the Chris Walker’s conversation with Scott Hanselman a good place to start if you have a spare twenty minutes to spare Hanselminutes - Deeper into the Netduino with Chris Walker from Secret Labs.



.NET Micro Framework home

Netduino web site

Arduino website

Microchip website

Maker Faire website

EZ boards

Blackfin processor family

AxiDotNet Blackfin .NET Microframework

Extending .NET Micro Framework with an MPEG-4 Video Decoder