[OpenID] FW: Google teams with Ping for Universal Login to SaaS
Peter Williams
pwilliams at rapattoni.com
Tue Jul 28 15:53:45 UTC 2009
Ping apparently announced this morning that "we’ve teamed with Google to create a universal login for SaaS. "
[cid:3331614937_35361278]
Seems to be a bridge .
On the left, there appears to be a variant of openid2 auth v2 between the "SSO switch" and Google Accounts OP.
On the right, there appears to be some variant of SAML2, between the "SSO switch" and the SAML2 Relying Party.
Presumably, when a Google Apps domain is the target on the right, the bridge is talking SAML2 to the domain (not openid2).
Its not clear if the PIngConnect "SSO switch" is
a) hosted by a third party
b) hosted by one of: the hub or spoke
c) can each Google Apps domain choose a different "provider" of the SSO swtch, or is it mandated by Google?
d) can one cascade SSO switches?
e) was UCI retained - i.e. a user of RP's SAAS service retains OP portability
The art here is clearly how end-end trust is managed - independently of all this translation of assertion messages, ping/pong websso flows, and security markups.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 43379 bytes
Desc: image.jpg
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090728/94d6de51/attachment-0002.jpg>
More information about the general
mailing list