Anyone seen xauth.org?

Nate Klingenstein ndk at internet2.edu
Mon Apr 19 19:54:07 UTC 2010


Chris,

> I'm not sure I follow the distinction you're making — what is the  
> difference between "concept of integration with the user's session  
> at the identity provider" and the "user's choice of identity  
> provider"?
>
> While the token/cookie stored via XAuth in the browser's  
> localStorage may contain whatever information the identity/service  
> provider wishes to include, my suspicion is that most IDPs and SPs  
> will just indicate that a session exists at a particular provider.

That *is* the main distinction I see on quick glance.  It includes a  
variety of information that an identity or service provider would want  
to include.  The discovery service caches nothing more than an  
untrusted decision by the user regarding which identity provider  
they'd like to use.

XAuth may be storing highly trusted information, in providing an  
indexical reference to the specific session from which, among other  
things, to pull attributes.

Even the indication of an extant session, depending on how it's used  
by the SP/RP and OP/IdP once it's received (e.g. a direct query for  
more information, rather than the IdP/OP doing a further check to  
ensure the user does control that session), can be sensitive  
information.

> I'd be interested in knowing more about your experience here — and  
> what adoption pitfalls you've run into, and whether it's likely that  
> the central service is likely to go away any time soon.

The biggest pitfall is that we have many different DS services  
scattered around the world, each of which has a heterogenous set of  
providers listed and trusted.  This is often for good  
reasons(different national laws, different sets of trusted providers,  
different trust frameworks, privacy concerns) and often for other  
kinds of reasons(branding, parochial control, lack of cooperation, no  
eagerness to make a list of 1000 providers into a list of 5000  
providers, or otherwise complicate the interface for initial  
selection) but we've had a terrible time breaking that impasse.

We've tried to get the central service to go away on belief that the  
SP/RP will have the best knowledge of the IdP's it wants to deal with,  
and the best knowledge of how to integrate discovery with their own  
user experience, and that smart clients would be here real soon now.   
I'm more of a believer in the value of a discovery service than most  
in the academic community because I do think it provides a lot of value.

But I anticipate that a third party storing even the evidence that  
there is an active session at the IdP would be a very difficult sell  
to the campuses, particularly in Europe.

I could go on for pages on this topic, sadly...
Nate.


More information about the specs mailing list