Federated Authorization

Dick Hardt dick at sxip.com
Fri Jan 19 00:15:47 UTC 2007

Hi James

As Phillip states, SAML can be used to represent the assertion.

Interesting that you mention a Doctor example. A use case that we are  
working on uses a Surgeon (Sally) who needs to prove:

- Tthe College of Physicians and Surgeons says she is a surgeon
- A particular hospital says she is part of their team
- The university says she is part of their faculty
- the government says she is the business owner of her surgical practice

With OpenID, each of these authorities could make a claim about  
Sally's OpenID. This could be expressed as a SAML assertion.

When accessing a resource that requires one of Sally's verified  
attributes, Sally (using her OP) proves she is a specific OpenID  
Idenitifier and also provides the SAML assertion(s) that prove that  
identifier has been verified to belong to a surgeon, team member,  
faculty member, business owner.

We have created an example for something anyone on the net can have  
verified, their email address. I'll post separately about that.

-- Dick

On 18-Jan-07, at 8:51 AM, McGovern, James F ((HTSC, IT)) wrote:

> I would love to see folks hear that also blog not only continue to  
> discuss federated identity but also consider of the course of  
> several additional postings also talk about the need for federated  
> authorization. Consider an example where a Doctor in a hospital is  
> having an electronic interaction with a healthcare insurance  
> provider. The hospital should be the identity provider while the  
> entity that licensed the Doctor for given sets of practices should  
> be responsible for certain forms of authorization.
> If we only talk about identity without authorization, the  
> conversation will result in lots of great software where folks who  
> create them won't make any money since consumer-centric  
> interactions have volume without corresponding revenue.
> ********************************************************************** 
> ***
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information. If you are not the  
> intended
> recipient, any use, copying, disclosure, dissemination or  
> distribution is
> strictly prohibited. If you are not the intended recipient, please  
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> ********************************************************************** 
> ***
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20070118/11bd4ac2/attachment-0002.htm>

More information about the specs mailing list