IdP vs OP (WAS: RE: "Editors" Conference Call)

John Kemp frumioj at mac.com
Tue Nov 7 20:58:07 UTC 2006


Hi Pete,

We're in agreement - I was just noting that a SAML IdP is asserting the
link between an identifier and a user/subject/principal, which is the
same as OpenID.

As you say, in SAML, the identifier is often (but doesn't have to be)
created by the IdP. And, as you say, in OpenID, the identifier is often
(but doesn't have to be) created by the user.

Regards,

- John

Pete Rowley wrote:
> John Kemp wrote:
>> Drummond Reed wrote:
>>  
>>> And it doesn't stop there. OpenID also supports OPs that
>>> ***have zero control over the user's OpenID identifier***. The OP simply
>>> provides a service for authenticating that a user has control of the
>>> OpenID
>>> identifier about which the OP is being queried.
>>>     
>>
>> And how does one authenticate that the user has control over an
>> identifier? Is it not by having the OpenID IdP having some secret shared
>> with the user - maybe a password, say?
>>
>> A SAML IdP also authenticates that an identifier (issued by the IdP in
>> the SAML case) is bound to a particular user.
>>   
> "issued by the IdP in the SAML case" is really the point. While an
> identifier /may/ be issued by an OpenID provider (IdP, AA, etc.) that is
> really the users choice, the user chooses their identifier and the user
> chooses who is authorized to provide authentication for the identifier.
> So really the OP, IdP, AA etc. isn't providing an identifier or an
> identity. It is providing an identifier ownership assertion service that
> may or may not be backed up by some form of authentication, and that
> service provider may be changed.
> 
> 




More information about the specs mailing list