[Openid-specs-ab] MTI section in Messages Draft 15

Roland Hedberg roland.hedberg at adm.umu.se
Sun Feb 3 17:12:46 UTC 2013

1 feb 2013 kl. 00:28 skrev Nat Sakimura <sakimura at gmail.com>:

> Needs for fine grained claims request gets in other jurisdictions than the US, I can imagine. 
> With the Data collection limitation and Data minimization requirements combined with PIA requirement after 2014, that gets pretty important in EU. 

That is definitely true !

But, one difference between SAML2 and OIDC is that in SAML2 you publish what attributes/claims
you want in the metadata not in the AuthnRequest.

Hence, OIDC is more dynamic in that respect since the RequestObject can be used to in real-time vary what the RP wants.
This of course increases the implementation complexity.
It also makes the administration of the identity provider more difficult.
In SAML2 federations today there is a constant struggle between what the services wants and what the identity provider are prepared to release. 
Important to notice is that this decision is done at the moment the decision is made whether a SP is allowed to talk to the IdP.
Also, worth noticing is that IdP administrators are turning to the federations to provide them with guidance on what 
to return, because with thousands of SPs there is just to much work to vet each of them separately.

So, while I can see the benefit of having the functionality that the RequestObject provides I'm a bit unsure as to
whether it will actually be used/supported/an administrative nightmare.

-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the Openid-specs-ab mailing list