A topic that I have been thinking about lately involves how companies can "mash-up" their B2B applications in a secure manner.
It is critical to understand, I think, that some core differences between a consumer mash-up like those that apply statistical information over, say, Google Maps and a B2B scenario might be: 1) business applications will commonly employ some type of authentication system to gain access to the data within the application and 2) customers could have the ability to alter data within either application.
Within the B2B mash-up model I can see applications participating in both a unidirectional manner, where application A pulls data from application B, and a bidirectional manner, where application A pulls data from application B and application B pulls data from application A -- think of a pair of applications that need to stay in sync with some or all of their data, i.e. a hosted billing solution such as the one offered by Aria Systems and a hosted Sugar CRM solution like the one offered by RPS Technology.
Now, in both scenarios how should we manage identity? When application A pulls data from application B on the behalf of the user in application A how does application B ensure that the end-user has authorized application A to pull that data at that moment in time? I'm thinking about how we protect against fraud or misbehaving applications that might be holding onto credentials and performing actions without the explicit authorization of the end-user.
This is a situation where a SaaS Hosting provider could come to market with an identity solution that could sign the authorization credentials via some type of proxy service that sits in front of the application and issues tickets for that current session. Both applications would trust that ticket of the 3rd party (the SHP) and allow the interaction between the two applications. Once the ticket expires, then application A and application B break the trust and become silos again. The proxy service would also have the benefit of allowing the end-user to utilize a single logon for both applications; it could abstract the credentials and do handle the authentication and hand-off to the application.
I think we will begin to see more and more B2B mash-ups. It will most likely start as narrow contracts between the companies offering the services, but will hopefully expand into a more generalized manner where any ISV can build their application to pull data from another application using some type of trust system. I could see ISVs publishing their API(s) into a service catalogue in which other ISVs can find the API and begin mashing up data points within their applications, creating ad-hoc suites of applications that share segments of data between each other.
(We are a fairly traditional host breaking out into utility computing and SaaS hosting.
Now all we need to do is create the solution.... :)