Anyone seen xauth.org?
Nate Klingenstein
ndk at internet2.edu
Mon Apr 19 19:14:26 UTC 2010
Chris,
Here's the final specification for one of the models you're referring
to, the Discovery Service. It existed for many years prior to that as
the "WAYF" -- "where are you from?" service, and it's the one with
wide purchase in academia.
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html
The XAuth proposal seems also, on quick, distract glance, to have
flavors of the "common domain cookie" in the original SAML specs, but
that failed in deployment.
But most of the technical distinctions appear to me to built around
the concept of integration with the user's session at the identity
provider. That would be radically different from what we've done thus
far, which caches and maintains nothing more than the user's choice of
identity provider; not even whether they're a legitimate user there.
It appears to place an enormous amount of power and centralization
into the hands of the XAuth service. We've always wanted the DS to be
an independent, optional piece of infrastructure, not the central cog
around which everything else rotates.
Interested to learn more, to see whether my initial reading here is off.
Nate.
On Apr 19, 2010, at 6:24 PM, Chris Messina wrote:
> In fact, this model is widely used in academia and in Europe to
> simplify federated authentication.
More information about the specs
mailing list