IdP vs OP (WAS: RE: "Editors" Conference Call)

Eve L. Maler Eve.Maler at Sun.COM
Wed Nov 8 16:23:10 UTC 2006 

Just to be clear, "identity provider" in SAML isn't intended to mean 
that this system entity is providing an identity to a digital 
subject -- it means that this system entity is providing identity 
information (specifically verification/authentication info) to a 
relying party/service provider.

 From the SAML glossary (now in HTML...):

http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Identity 
Provider
http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Relying 
Party

Often, but not always, a SAML authentication authority also serves 
as an attribute authority:

http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Attribute 
Authority

	Eve

John Kemp wrote:
> Hi Pete,
> 
> We're in agreement - I was just noting that a SAML IdP is asserting the
> link between an identifier and a user/subject/principal, which is the
> same as OpenID.
> 
> As you say, in SAML, the identifier is often (but doesn't have to be)
> created by the IdP. And, as you say, in OpenID, the identifier is often
> (but doesn't have to be) created by the user.
> 
> Regards,
> 
> - John
> 
> Pete Rowley wrote:
>> John Kemp wrote:
>>> Drummond Reed wrote:
>>>  
>>>> And it doesn't stop there. OpenID also supports OPs that
>>>> ***have zero control over the user's OpenID identifier***. The OP simply
>>>> provides a service for authenticating that a user has control of the
>>>> OpenID
>>>> identifier about which the OP is being queried.
>>>>     
>>> And how does one authenticate that the user has control over an
>>> identifier? Is it not by having the OpenID IdP having some secret shared
>>> with the user - maybe a password, say?
>>>
>>> A SAML IdP also authenticates that an identifier (issued by the IdP in
>>> the SAML case) is bound to a particular user.
>>>   
>> "issued by the IdP in the SAML case" is really the point. While an
>> identifier /may/ be issued by an OpenID provider (IdP, AA, etc.) that is
>> really the users choice, the user chooses their identifier and the user
>> chooses who is authorized to provide authentication for the identifier.
>> So really the OP, IdP, AA etc. isn't providing an identifier or an
>> identity. It is providing an identifier ownership assertion service that
>> may or may not be backed up by some form of authentication, and that
>> service provider may be changed.
>>
>>
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 

-- 
Eve Maler                                         +1 425 947 4522
Technology Director                           eve.maler @ sun.com
CTO Business Alliances group                Sun Microsystems, Inc.

More information about the specs mailing list