The future’s so bright I gotta wear shades

Pat Patterson went and did it: He implemented the Service Provider (relying party) side of SAML V2.0’s browser/POST single sign-on profile…entirely in PHP. A number of people have been concerned that SAML is somehow just too hard to implement, particularly with that nasty XML Signature bit, but I think this shows the concern wasn’t warranted. He was apparently inspired by the ease with which Kim Cameron implemented InfoCard in PHP; of course, that has a significant SAML token-handling component, so there are a lot of similarities in what you have to do underneath.

At the same time, Jeff Hodges and Scott Cantor have continued to improve their SimpleSign and Lightweight SSO specs for doing SSO using SAML in an entirely XML-Signature-free way. The best way to keep up with this work is to track JeffH’s IdentityMeme.org blog. (He’s also got a recent post surveying the landscape of IETF I-D references to SAML, and other handy stuff.)

The next thing I’d love to see (I should get off my duff and do it, or at least browbeat Peter Davis into it — he’s the main guy behind the specs for SSO using both i-names and SAML) is a very simple spec showing how to use Yadis as the metadata and discovery component for SAML. With this, you could not only use Yadis for identities that have non-URL, non-XRI identifiers (such as the millions upon millions of “legacy” identities out there), but avoid some privacy issues as well.

The security considerations section of Peter’s spec profiling SAML for XRIs contains the seeds of everything you need to know to pull this off:

The use of XRIs for authentication service discovery introduces a new potential correlation handle of the principal. Authentication service providers should carefully consider the risks associated with this shared identifier.

One suggested remedy is allow the principal to only supply the XRI of the authentication service provider (eg: @IdentityProvider), and not their personal i-name.

(I tried figuring out if the OpenID V2.0 work includes this approach as a possibility for URL-based identifiers, and it appears to go part of the way, though the underlying purpose seems to be different. Revision 10’s Appendix C.1 says “Supports IdP-driven identifier selection. This new variation of the protocol flow is initiated by entering an Identifier for an IdP instead of an Identifier for an End User, and allows the IdP to assist the End User in selecting an Identifier.” But I’m having trouble finding where in the normative spec this is defined.)

All in all, I think Pat’s lightbulb metaphor is apt — lightweight identity, shining a light on the identity issue, having the lightbulb suddenly go on, I get it, I get it. Now, with the “gotta wear shades” song in my head, I just have to avoid the next step down into earworm hell: “I wear my sunglasses at night”. Oh no! Too late! Even worse, the lyrics actually lend themselves to security and privacy themes…

No tags for this post.

5 Comments to “The future’s so bright I gotta wear shades”

  1. […] Drummond Reed responds to my point of OpenID confusion kindly and informatively. It sounds like inputting the IdP’s address is precisely what the new draft does allow, along with having the user pick an identifier: starting with OpenID Authentication 2.0, a user will have two options for logging into an OpenID-enabled site: with their personal identifier, or with the identifier of their OpenID provider (IdP). If the user chooses the latter option, the IdP will let the user choose the identifier they want to share with the site anything from a specific persona to a one-time URL/XRI generated by the IdP just for this relationship. […]

  2. Chris 25 October 2006 at 7:54 pm #

    Good IdP’s also offer a solution from “the other side” – instead of finding an RP and trying to log in to it – the IdP maintains a list of “bookmarks” for you, so when you want to log in to an RP – you click on it’s bookmark from inside your IdP – in other words – the RP only ever sees whatever identity you want it to – which might be an RP-specific one, or even an anonymous one: the main benefit being that you still need only 1 “main” identity, and no bots or google queries get a chance to link all your other identities back to you.

  3. Eve M. 25 October 2006 at 8:24 pm #

    Hello Chris– Good point. This was basically the first key use case that SAML V1.x tackled, what eventually got called IdP-initiated SSO. This is the simplest possible flow, of course — no request for action, just authentication/authorization assurances pushed out at the right time.

    We quickly found out, of course, just how appealing it is to be able to start at the service provider directly — so you can (e.g.) bookmark your favorite services directly and not have to start at a “portal” every time. So SAML V2.0 added the rest of the picture to make it more interoperable, since everyone was finding ways of doing it anyway (we had an interop test event at the RSA 2004 conference where this was the main complicating factor).

    Partly because the SP-initiated version of the use case demands the same sorts of user choice that you’ve pointed out, and for a bunch of other reasons (protocol length/trickiness, UI design considerations…), it’s at least least twice as complicated as the other way. But it looks like it can’t be left out. :-)

  4. Paul 2 November 2006 at 11:44 pm #

    Just when I had been able to expunge (embarassingly Canadian) Corey Hart from my memory, you bring him back in.

  5. […] The next morning, refreshed, we continued the “convergence touchpoints” exploration that began back in October and saw progress in December. […]