[OpenID] [LIKELY_SPAM] OpenID Identity Discovery with XRI and XRDS

Peter Williams pwilliams at rapattoni.com
Tue Nov 11 03:38:14 UTC 2008 

Given the likes of Google (services) and Microsoft (software and services) are doing both SAML2 and OpenID2, its worth looking at the convergence space again. Appropriately, we can look to Drummond's paper, which says

"The OASIS SAML specifications include authentication flows very similar to OpenID except for the initial discovery steps [26]. So it is not surprising that they can be adapted to use the same XRDS discovery mechanism as OpenID 2.0. The only difference is the use of a SAML authentication service endpoint. This flow was demonstrated by Pat Patterson of Sun at Internet Identity Workshop in December 2006 [27].
This flow can be further enhanced to provide automated discovery of the SAML metadata [28] necessary to interact with the SAML service provider. By including an XRI as the value of the <xrd:ProviderID> element in the SAML authentication service endpoint, an RP can use XRI trusted resolution to resolve this identifier and obtain another XRDS with service endpoint(s) advertising the location of the service provider's SAML metadata"

Now I have to admit, I'm struggling with the basics of this proposition. It seems to say, that an OpenID2 RP would wish to converse with an SAML2 SP - and various bit of jiggery-pokery with multi-level resolution can facilitate such things. But why would an RP want to talk to another RP (known as an SP in SAML-speak)?...unless its participating in an SP affiliation (like AX update)?

Is there are strong reason why this somewhat esoteric example of SAML/OpenID2 convergence (by sharing XRDS) was chosen as the example of iterative discovery?


From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Peter Williams
Sent: Monday, November 10, 2008 6:21 PM
Cc: OpenID List
Subject: [LIKELY_SPAM][OpenID] OpenID Identity Discovery with XRI and XRDS

I just reread Drummond et al's infamous (really, well-written) paper on the design motivations of openid auth 2.0, particularly as those motivations refer to discovery. It's well worth rereading, occasionally.




 OpenID Identity Discovery with XRI and XRDS





Drummond Reed

Cordance Corp. 3020 Issaquah-Pinelake RDF #74 Sammamish WA 98075 +1.206.618.8530

drummond.reed at cordance.net

Les Chasen

Neustar, Inc. 46000 Center Oak Plaza Sterling VA 20166 +1.571.434.5474

les.chasen at neustar.biz

William Tan

Neustar, Inc. 46000 Center Oak Plaza Sterling VA 20166 +1.571.434.5400
william.tan at neustar.biz<mailto:william.tan at neustar.biz>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081110/c12acfbe/attachment-0002.htm>

More information about the general mailing list