Anyone seen xauth.org?

Chris Messina chris.messina at gmail.com
Mon Apr 19 19:37:34 UTC 2010


I'm not sure I follow the distinction you're making — what is the difference
between "concept of integration with the user's session at the identity
provider" and the "user's choice of identity provider"?

While the token/cookie stored via XAuth in the browser's localStorage may
contain whatever information the identity/service provider wishes to
include, my suspicion is that most IDPs and SPs will just indicate that a
session exists at a particular provider.

Since many RPs already know or have some idea which IDPs or SPs they want to
integrate with (or the types of services they're interested in), they just
need to look in the list for matches and then offer them up to the user as
familiar options.

I'd be interested in knowing more about your experience here — and what
adoption pitfalls you've run into, and whether it's likely that the central
service is likely to go away any time soon.

Chris

On Mon, Apr 19, 2010 at 12:14 PM, Nate Klingenstein <ndk at internet2.edu>wrote:

> Chris,
>
> Here's the final specification for one of the models you're referring to,
> the Discovery Service.  It existed for many years prior to that as the
> "WAYF" -- "where are you from?" service, and it's the one with wide purchase
> in academia.
>
>
> http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html
>
> The XAuth proposal seems also, on quick, distract glance, to have flavors
> of the "common domain cookie" in the original SAML specs, but that failed in
> deployment.
>
> But most of the technical distinctions appear to me to built around the
> concept of integration with the user's session at the identity provider.
>  That would be radically different from what we've done thus far, which
> caches and maintains nothing more than the user's choice of identity
> provider; not even whether they're a legitimate user there.
>
> It appears to place an enormous amount of power and centralization into the
> hands of the XAuth service.  We've always wanted the DS to be an
> independent, optional piece of infrastructure, not the central cog around
> which everything else rotates.
>
> Interested to learn more, to see whether my initial reading here is off.
> Nate.
>
>
> On Apr 19, 2010, at 6:24 PM, Chris Messina wrote:
>
>  In fact, this model is widely used in academia and in Europe to simplify
>> federated authentication.
>>
>
>


-- 
Chris Messina
Open Web Advocate, Google

Personal: http://factoryjoe.com
Follow me on Buzz: http://buzz.google.com/chrismessina
...or Twitter: http://twitter.com/chrismessina

This email is:   [ ] shareable    [X] ask first   [ ] private
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100419/77d8fb2a/attachment.htm>


More information about the specs mailing list