[OpenID] openid 2.1 and geneva - XRI?

Sat May 16 22:14:28 UTC 2009

There is absolutely nothing in the following resources that refers to openid(2). But lets imagine MSFT was going to plugin in openid auth to the Geneva framework (along with all the other largely equivalent websso protocols)

http://blogs.msdn.com/card/archive/2009/05/12/what-s-new-in-geneva-beta-2.aspx

http://blogs.msdn.com/card/archive/2008/11/04/microsoft-geneva-framework.aspx

The (postulated) things I'd find most interesting would be, given their impact on the relevance of openid in an enterprise deployment:-

integration with the AD-RMS server. If used much as RMS is used via ike certs to create ipsec segmentation worlds in NAC environments, openid RPs could be benefitting from claims that are in fact RMS-issued short-lived certs (describing the health compliance of the PC to the RP). Rather than RP worry about password age, it simply processes the health cert (whose issuing policy addresses that compliance issue).

mapping of openid claims onto windows tokens (allowing for onward delegation). This would be variant of what's being done for SAML2 account linking. Obviously, those tokens want to convey the health stading of the clients, so as not to contaminate more trusted networks

the HA and FT architecture, probably based on AD multi-mastering, locator protocols, site replication etc. I.e. what would happen when openid is used in an enterprise context and an app must locate the openid federation gateway nearest to it, given the publication of its transformation capabilities

Will there be a token handler for openid auth, much as there is for saml, secure sessions for web services, kerberos tokens, etc? If nothnig else, openid auth mac'ed assertion blog can be regarded as just another binary blob.

The use of UPN claims, allowing the federated trust model to support websso - as the RP must be AD-powered - so it can evaluate the binding of the UPN to the ldap URI (or a gc URL, or [logically] an http openid URL).

Geneva implements SP-lite (which include mandatory support for logout). Would openid ath 2.1 have to match this minimum?

----

does anyone have any blog-style pointers about Microsoft future directions and XRI 2.0 resolution - probably on a AD-related list?

Will be intresting to see if MSFT creates a world of standalong XRI servers, much as it distinguishes between AD LDS naming contexts apps run for themselves, vs the naming contexts managed by DCs supporting the Windows Network. Id see this as a boon for openid RP webapps, if it were to happen - partcularly when supporting delegation/portability-powered openid communities.