Comments on: The future’s so bright I gotta wear shades

By: Pushing String » OpenID and SAML: a swirling nexus

Pushing String » OpenID and SAML: a swirling nexus — Sun, 21 Jan 2007 08:03:09 +0000

[…] The next morning, refreshed, we continued the “convergence touchpoints” exploration that began back in October and saw progress in December. […]

By: Paul

Paul — Fri, 03 Nov 2006 07:44:11 +0000

Just when I had been able to expunge (embarassingly Canadian) Corey Hart from my memory, you bring him back in.

By: Eve M.

Eve M. — Thu, 26 Oct 2006 04:24:42 +0000

Hello Chris– Good point. This was basically the first key use case that SAML V1.x tackled, what eventually got called IdP-initiated SSO. This is the simplest possible flow, of course — no request for action, just authentication/authorization assurances pushed out at the right time.

We quickly found out, of course, just how appealing it is to be able to start at the service provider directly — so you can (e.g.) bookmark your favorite services directly and not have to start at a “portal” every time. So SAML V2.0 added the rest of the picture to make it more interoperable, since everyone was finding ways of doing it anyway (we had an interop test event at the RSA 2004 conference where this was the main complicating factor).

Partly because the SP-initiated version of the use case demands the same sorts of user choice that you’ve pointed out, and for a bunch of other reasons (protocol length/trickiness, UI design considerations…), it’s at least least twice as complicated as the other way. But it looks like it can’t be left out. :-)

By: Chris

Chris — Thu, 26 Oct 2006 03:54:36 +0000

Good IdP’s also offer a solution from “the other side” - instead of finding an RP and trying to log in to it - the IdP maintains a list of “bookmarks” for you, so when you want to log in to an RP - you click on it’s bookmark from inside your IdP - in other words - the RP only ever sees whatever identity you want it to - which might be an RP-specific one, or even an anonymous one: the main benefit being that you still need only 1 “main” identity, and no bots or google queries get a chance to link all your other identities back to you.

By: Pushing String » Pseudonym picking

Pushing String » Pseudonym picking — Tue, 24 Oct 2006 15:18:02 +0000

[…] Drummond Reed responds to my point of OpenID confusion kindly and informatively. It sounds like inputting the IdP’s address is precisely what the new draft does allow, along with having the user pick an identifier: starting with OpenID Authentication 2.0, a user will have two options for logging into an OpenID-enabled site: with their personal identifier, or with the identifier of their OpenID provider (IdP). If the user chooses the latter option, the IdP will let the user choose the identifier they want to share with the site — anything from a specific persona to a one-time URL/XRI generated by the IdP just for this relationship. […]