[OpenID] Become OpenID Provider
Peter Williams
pwilliams at rapattoni.com
Sun Jun 3 13:34:21 UTC 2007
> -----Original Message-----
> From: general-bounces at openid.net
> [mailto:general-bounces at openid.net] On Behalf Of Pat Patterson
> Sent: Saturday, June 02, 2007 7:27 AM
> To: Frans Thamura
> Cc: general at openid.net
> Subject: Re: [OpenID] Become OpenID Provider
>
> Hi Frans,
>
> There is also the OpenID Extension for OpenSSO:
> https://opensso.dev.java.net/public/extensions/openid/
>
> This is already in production at http://www.ssocircle.com/
> and coming soon at http://openid.sun.com/
>
1. IDP metadata sufficiency
So I tried to do some interworking with the IDP at ssocircle.com, using
its published metadata. I could NOT complete the setup because there was
no certificate in the metadata. As Im a relying party, don't I need a
SSOCircle certificate to verify its SSO assertions (received over
redirect)?
- <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="http://idp.ssocircle.com">
- <md:IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp.ssocircle.com:80/sso/ArtifactResolver/metaAlias/sso
circle" index="0" isDefault="1" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAlias/ssoci
rcle"
ResponseLocation="http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAli
as/ssocircle" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp.ssocircle.com:80/sso/IDPSloSoap/metaAlias/ssocircle
" />
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAlias/ssoci
rcle"
ResponseLocation="http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAli
as/ssocircle" />
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://idp.ssocircle.com:80/sso/IDPMniSoap/metaAlias/ssocircle
" />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</m
d:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md
:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://idp.ssocircle.com:80/sso/SSORedirect/metaAlias/ssocircl
e" />
</md:IDPSSODescriptor>
</md:EntityDescriptor>
2. Multi-Protocol Brokering
Now to the fun part - with OpenID involved.
If my multi-protocol-capable OP site receives an OpenID Authentication
[Request] message, Im intending that this is translated into an
SP-initiated WebSSO Request. This Assertion Request will be tagged with
the name of my "OP-SAML2-broker-entityID" (a term I just made up, for
want of knowing a better one).
The idea is that upon receipt of the SAML2 message, my SAML2 IDP will
message switch the request to one of the several other IDPs that it
knows about, in its inter-IDP trust model. This [de]multiplexing switch
will route the flow through the metadata-driven trust fabric, based on
the "OP-SAML2-broker-entityID".
3. Realty's meta-data Repository
Organized Realty already has a standard for specifying, handling and
querying (realty-related)information on the basis of metadata. The
standard is at rets.org. And, several metadata-aware user agents exist
and are widely adopted, to exploit this intelligence.
The fun part is now to somehow technically coordinate the OpenID world,
the SAML2 metadata, and the Realty metadata repository so there is a
standard way for inter-IDP-switching logic to build an instance of a
trust fabric - in much the same way that high-end internet router cards
on a backplane can upload pre-processed flow tables into their FPGAs.
More information about the general
mailing list