Anyone seen xauth.org?

Nate Klingenstein ndk at internet2.edu
Mon Apr 19 19:14:26 UTC 2010


Chris,

Here's the final specification for one of the models you're referring  
to, the Discovery Service.  It existed for many years prior to that as  
the "WAYF" -- "where are you from?" service, and it's the one with  
wide purchase in academia.

http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html

The XAuth proposal seems also, on quick, distract glance, to have  
flavors of the "common domain cookie" in the original SAML specs, but  
that failed in deployment.

But most of the technical distinctions appear to me to built around  
the concept of integration with the user's session at the identity  
provider.  That would be radically different from what we've done thus  
far, which caches and maintains nothing more than the user's choice of  
identity provider; not even whether they're a legitimate user there.

It appears to place an enormous amount of power and centralization  
into the hands of the XAuth service.  We've always wanted the DS to be  
an independent, optional piece of infrastructure, not the central cog  
around which everything else rotates.

Interested to learn more, to see whether my initial reading here is off.
Nate.

On Apr 19, 2010, at 6:24 PM, Chris Messina wrote:

> In fact, this model is widely used in academia and in Europe to  
> simplify federated authentication.



More information about the specs mailing list