IdP vs OP (WAS: RE: "Editors" Conference Call)
Eve L. Maler
Eve.Maler at Sun.COM
Wed Nov 8 16:23:10 UTC 2006
Just to be clear, "identity provider" in SAML isn't intended to mean
that this system entity is providing an identity to a digital
subject -- it means that this system entity is providing identity
information (specifically verification/authentication info) to a
relying party/service provider.
From the SAML glossary (now in HTML...):
http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Identity
Provider
http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Relying
Party
Often, but not always, a SAML authentication authority also serves
as an attribute authority:
http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Attribute
Authority
Eve
John Kemp wrote:
> Hi Pete,
>
> We're in agreement - I was just noting that a SAML IdP is asserting the
> link between an identifier and a user/subject/principal, which is the
> same as OpenID.
>
> As you say, in SAML, the identifier is often (but doesn't have to be)
> created by the IdP. And, as you say, in OpenID, the identifier is often
> (but doesn't have to be) created by the user.
>
> Regards,
>
> - John
>
> Pete Rowley wrote:
>> John Kemp wrote:
>>> Drummond Reed wrote:
>>>
>>>> And it doesn't stop there. OpenID also supports OPs that
>>>> ***have zero control over the user's OpenID identifier***. The OP simply
>>>> provides a service for authenticating that a user has control of the
>>>> OpenID
>>>> identifier about which the OP is being queried.
>>>>
>>> And how does one authenticate that the user has control over an
>>> identifier? Is it not by having the OpenID IdP having some secret shared
>>> with the user - maybe a password, say?
>>>
>>> A SAML IdP also authenticates that an identifier (issued by the IdP in
>>> the SAML case) is bound to a particular user.
>>>
>> "issued by the IdP in the SAML case" is really the point. While an
>> identifier /may/ be issued by an OpenID provider (IdP, AA, etc.) that is
>> really the users choice, the user chooses their identifier and the user
>> chooses who is authorized to provide authentication for the identifier.
>> So really the OP, IdP, AA etc. isn't providing an identifier or an
>> identity. It is providing an identifier ownership assertion service that
>> may or may not be backed up by some form of authentication, and that
>> service provider may be changed.
>>
>>
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
--
Eve Maler +1 425 947 4522
Technology Director eve.maler @ sun.com
CTO Business Alliances group Sun Microsystems, Inc.
More information about the specs
mailing list