[OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06

[Peter Williams]

2 questions: 
 
Q1. how does XRI/XRD conflict with ENUM/NAPTR and IETF-style provisioning of name and service records in DNS
 
 
A1: You have not read IETF stuff, and I have not read XRI stuff (because it costs money to read even a draft OASIS standard). We are kind of stuck in a deadlock. Thus, I go with the IETF stuff, expressed particular in ENUM.
 
- The basic YADIS approach (read an XRS stream from an http endpoint) seems like a temporary hack, in the big scheme of things. Going XRI native or XRI proxies is a blind alley for me, personally, right now (as im ignorant of what it all means, ultimately)
 
- walled garden ENUM (where the walled-garden variant was a hard won battle in IETF, note) shows how reliance in openid could be walled off, without forcing the walling procedures to use protocol level security controls (encryption etc) or qualified namespaces.
 
 
 
Q2. how can openid2 and SAML2 cooperate (within the SAML2 proxying model and nameid-qualification/autocreate model)

A2: OpenID2 (likes SAML2) assumes matters of qualified naming and account subscription/provisioning are handled as local matters - using some or other backend (probably legacy) system. We happen to have fronted our proprietary stuff (that covers about 85% of realty's 2.5 million current or recently expired accounts) with SAML endpoint - saying to the world: ok! stop whining about relaty proprietary legacy systems: here is an open interface. Get on with it. You have naming protocols, encryption protocols, assertion protocols, now even attribute query protocols. When I finally get my head around SAML+XACML, we will add authorization protocols via PEPs/PDPs/PAPs.

We are perfectly happy for openid2 protocol engine to be either a downstream or upstream SAML/legacy proxy (in the formal SAML IDP proxying model). You want to talk to realty via openid protocols..? Wonderful. Here is how (not that you really need to know) it maps onto realty's open SAML interfaces so we can realize your desire. In certain advanced cases, the openid relying party will have business rules that DEMAND that it knows about what proxying went on, and with whom. So, we will have to "emulate" certain SAML signals as AX attributes, probably. Or, openid3 will do it properly.

Peter (speaking for Rapattoni, not various other realty systems vendors or NAR).

 

 


________________________________

From: Joseph Holsten on behalf of Joseph Anthony Pasquale Holsten
Sent: Wed 1/23/2008 11:17 PM
To: Peter Williams
Cc: Drummond Reed; openid-general
Subject: Re: [OpenID] FW: Technical Comparison: OpenID and SAML - Draft 06


On 02008:01:21, at 7:57CST, Peter Williams wrote:

	Intending to speak non-threateningly, I know (as a security designer on the dumber end of the know-how spectrum) that I want next to investigate SAML2 and its use of NAPTRs. Its in this area where there appears a conflict of infrastructure vision between openid and SAML2 - one that concerns me.

	Openid Auth (over https) is fine as a lightweight websso protocol. But, the whole XRD and XRI emphasis conflicts with general IETF direction in DNS, NAPTRs, walled-garden ENUM etc. I know for my part, I don't yet know how to reconcile these two infrastructure visions on resolving names to services, particular the websso assurance depend on secure name resolution. I do know I'm personally arming a new SAML2 party each week (in US realty), with increasingly sophisticated use of the fancier SAML2 features (which bodes well for openid2, which the same feature set as SAML in the 80% of features that most matter). 


What are you refering to about conflicts with the IETF direction? I haven't monitored IETF work in years, so please excuse my ignorance. Are you referring to the way XRI extends existing URI infrastructure? Does non-XRI XRD resolution (nee yadis) overcome these conflicts in your eyes?
 
 


	Whilst we at rapattoni have made a commitment to ensure we can join realty's websso infrastructure to the web2.0 world via openid2, beyond that limited goal I'm not sure how to characterize what we will do with openid. I think it all comes down to SPECIFICALLY how the UCI management vision takes off, or not, in such as business applications that are building on all the various successful social networking practices proven over the last few years.


I wonder, are you implementing openid alongside SAML2? It seems that most of the SSO uses we've had at my work are best solved with OAuth, although if the site you're SSOing with acts as an OP, I guess AX would be sufficient.

http:// Joseph Holsten .com