Requiring Pseudonymous Identifier

Paul Madsen paulmadsen at rogers.com
Tue May 12 10:39:01 UTC 2009


there are telco use cases where a family member, by dint only of  
'subscriber authentication' to the IDP/OP, is able to access shared 
resources (e.g. family calendar) at an SP/RP.

Unlike in Chris's academia case the OP/IDP is itself unable to 
distinguish a particular user from amongst other group members based on 
this sort of authentication.

To allow the SP to indicate  back to the IDP that it needed a user 
authenticated as an individual (to allow for instance the RP to show 
calendar events associated with the user and not shared amongst the 
group) in SAML we defined an extension to Authn Context to distinguish 
between such shared credentials and those that are unique to a single user.

http://docs.oasis-open.org/security/saml/SpecDrafts-Post2.0/sstc-saml-context-ext-sc-cd-03.pdf

paul

Chris Messina wrote:
> On Tue, May 12, 2009 at 10:55 AM, Dick Hardt <dick.hardt at gmail.com 
> <mailto:dick.hardt at gmail.com>> wrote:
>
>
>     On 12-May-09, at 1:36 AM, Nat Sakimura wrote:
>
>
>         Reason for using RP's Subject in XRD instead of simply using
>         realm is
>         to allow for something like group identifier.
>
>
>     would you elaborate on the group identifier concept?
>
>
> I'm not sure what Nat is specifically referring to, but there was a US 
> academic institution that provided OpenIDs for "classes" of people... 
> i.e. students, teachers, etc.
>
> When you signed in for certain application, the OP would respond with 
> the appropriate identifier for a class of users.
>
> So, imagine I use directed identity in a school application... when I 
> sign in to the OP, it will return something like 
> schoolname.edu/student <http://schoolname.edu/student> as the identifier.
>
> You could imagine something similar where you could use authentication 
> as a way to verify that someone comes from some geographic region or 
> has previously registered for certain entitlements.
>
> Chris
>
> -- 
> Chris Messina
> Open Web Advocate
>
> factoryjoe.com <http://factoryjoe.com> // diso-project.org 
> <http://diso-project.org> // openid.net <http://openid.net> // 
> vidoop.com <http://vidoop.com>
> This email is:   [ ] bloggable    [X] ask first   [ ] private
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090512/e22e2433/attachment.htm>


More information about the specs mailing list