[OpenID] Making Deployers Choose (was: Real Identity Verification)
Peter Williams
pwilliams at rapattoni.com
Tue Nov 4 15:35:27 UTC 2008
what does peter mean when using the terms of art "idp-centric", or "sp-centric"?
(remember I'm the guy from the bottom of the class, merely attempting to correctly using terms the experts teach me)
I mean merely what is in this poster, including the architectural implications on discovery.
See http://www.jisc.ac.uk/media/documents/events/2006/07/discoveryposter.pdf in<http://www.jisc.ac.uk/media/documents/events/2006/07/discoveryposter.pdf%20in> the section on idp-centric (vs sp-centric)
concerning discovery (and the UI presentation of IDPs during sp-initiated websso), sp-centric implies that the SP in charge to which IDPs are relevant to a particular target resource. For discovery in the idp-centric model, a party OTHER than the SP express control over which IDPs are relevant to a given target [set].
In the OpenID world, the protocols is essentially sp-initiated websso, with an sp-centric model - as the discovery metadata allows the user (i.e. not the IDP) to control which IDPs/OPs are discoverable (and how delegation of linked urls shall be treated by SPs).
Obviously, idp-centric models of openid ARE possible, where the architects ONLY permit the OP to manage the XRDS file of a principal: or require that ONLY the OP can operate the master XRI server for a namespace served by the OP's sub-space of XRI names.
________________________________
From: Nate Klingenstein [ndk at internet2.edu]
Sent: Tuesday, November 04, 2008 6:30 AM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] Making Deployers Choose (was: Real Identity Verification)
Peter,
I'm sorry, I'm afraid I don't follow. What do you mean, IdP-centric and SP-centric?
InCommon today has roughly 75 IdP's and 35 SP's. By contrast, the Swiss federation SWITCHaai has roughly 35 IdP's and 250 SP's. Some SP's, like DreamSpark, support many federations. Others, like ScienceDirect, support subsets of existing federations that are their customers. Any SP can choose the set of IdP's it wants to display, support, and trust, including all-comers.
Wondering what else we could add to improve functionality for your needs,
Nate.
On 4 Nov 2008, at 13:15, Peter Williams wrote:
I dont see much future in idp-centric federations in web2.0, to be honest - which is where I feel Shib’s design is biased. Of the various models, openid tends more to sp-centric federations, where ax update promotes what SAML calls sp-affiliations.
More information about the general
mailing list