[OpenID] Become OpenID Provider

Pat Patterson Andrew.Patterson at Sun.COM
Mon Jun 4 15:49:00 UTC 2007 

Hi Peter,

Inline...

Peter Williams wrote:
>> -----Original Message-----
>> From: general-bounces at openid.net 
>> [mailto:general-bounces at openid.net] On Behalf Of Pat Patterson
>> Sent: Saturday, June 02, 2007 7:27 AM
>> To: Frans Thamura
>> Cc: general at openid.net
>> Subject: Re: [OpenID] Become OpenID Provider
>>
>> Hi Frans,
>>
>> There is also the OpenID Extension for OpenSSO: 
>> https://opensso.dev.java.net/public/extensions/openid/
>>
>> This is already in production at http://www.ssocircle.com/ 
>> and coming soon at http://openid.sun.com/
>>     
> 1. IDP metadata sufficiency
>
> So I tried to do some interworking with the IDP at ssocircle.com, using
> its published metadata. I could NOT complete the setup because there was
> no certificate in the metadata. As Im a relying party, don't I need a
> SSOCircle certificate to verify its SSO assertions (received over
> redirect)?
>
> - <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
> entityID="http://idp.ssocircle.com">
> - <md:IDPSSODescriptor WantAuthnRequestsSigned="false"
> protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>   <md:ArtifactResolutionService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="http://idp.ssocircle.com:80/sso/ArtifactResolver/metaAlias/sso
> circle" index="0" isDefault="1" /> 
>   <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAlias/ssoci
> rcle"
> ResponseLocation="http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAli
> as/ssocircle" /> 
>   <md:SingleLogoutService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="http://idp.ssocircle.com:80/sso/IDPSloSoap/metaAlias/ssocircle
> " /> 
>   <md:ManageNameIDService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAlias/ssoci
> rcle"
> ResponseLocation="http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAli
> as/ssocircle" /> 
>   <md:ManageNameIDService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
> Location="http://idp.ssocircle.com:80/sso/IDPMniSoap/metaAlias/ssocircle
> " /> 
>  
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</m
> d:NameIDFormat> 
>  
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md
> :NameIDFormat> 
>   <md:SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
> Location="http://idp.ssocircle.com:80/sso/SSORedirect/metaAlias/ssocircl
> e" /> 
>   </md:IDPSSODescriptor>
>   </md:EntityDescriptor>  
>   
I don't run SSOCircle, but I passed this on to Hu Liu 
<http://www.ssocircle.com/about.shtml>, who does (Hu does? :-) ).
> 2. Multi-Protocol Brokering
>
> Now to the fun part - with OpenID involved.
>
> If my multi-protocol-capable OP site receives an OpenID Authentication
> [Request] message, Im intending that this is translated into an
> SP-initiated WebSSO Request. This Assertion Request will be tagged with
> the name of my "OP-SAML2-broker-entityID" (a term I just made up, for
> want of knowing a better one).
>
> The idea is that upon receipt of the SAML2 message, my SAML2 IDP will
> message switch the request to one of the several other IDPs that it
> knows about, in its inter-IDP trust model. This [de]multiplexing switch
> will route the flow through the metadata-driven trust fabric, based on
> the "OP-SAML2-broker-entityID".
>   
I think this is possible right now with OpenSSO and its OpenID extension 
- OpenID RP -> [OpenID OP/SAML2 SP] -> SAML2 IdP. AFAICS, the trick 
would be in configuring it so that, for instance, an OpenID authN 
request for you might go to idp.rapattoni.com and an OpenID authN 
request for me would go to idp.sun.com.

Paul B - are you there? Thoughts?
> 3. Realty's meta-data Repository
>
> Organized Realty already has a standard for specifying, handling and
> querying (realty-related)information on the basis of metadata. The
> standard is at rets.org. And, several metadata-aware user agents exist
> and are widely adopted, to exploit this intelligence.
>
> The fun part is now to somehow technically coordinate the OpenID world,
> the SAML2 metadata, and the Realty metadata repository so there is a
> standard way for inter-IDP-switching logic to build an instance of a
> trust fabric - in much the same way that high-end internet router cards
> on a backplane can upload pre-processed flow tables into their FPGAs.
>   
This indeed would be the identity meta-system :-)

There is some early thinking around this:

    * ISSO: http://wiki.xdi.org/moin.cgi/IservicesSpecs
    * Almost an ISSO demo:
      http://blogs.sun.com/superpat/entry/yadis%2Fxri_identifier_resolution_with_saml
    * Concordia: http://wiki.projectliberty.org/index.php/Concordia

I think a lot of disparate technical details are in place for this - a 
concrete real-world use case might be just what it needs to push it all 
forward...

Cheers,

Pat

-- 
Pat Patterson - pat.patterson at sun.com
Federation Architect,
Sun Microsystems, Inc.
http://blogs.sun.com/superpat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070604/45f7d92e/attachment-0002.htm>

More information about the general mailing list