<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Peter,<br>
<br>
Inline...<br>
<br>
Peter Williams wrote:
<blockquote
cite="mid:18498B6C4F691545B050D6A531BA449502B23578@rapmsg02.rapnt.com"
type="cite">
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:general-bounces@openid.net">mailto:general-bounces@openid.net</a>] On Behalf Of Pat Patterson
Sent: Saturday, June 02, 2007 7:27 AM
To: Frans Thamura
Cc: <a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
Subject: Re: [OpenID] Become OpenID Provider
Hi Frans,
There is also the OpenID Extension for OpenSSO:
<a class="moz-txt-link-freetext" href="https://opensso.dev.java.net/public/extensions/openid/">https://opensso.dev.java.net/public/extensions/openid/</a>
This is already in production at <a class="moz-txt-link-freetext" href="http://www.ssocircle.com/">http://www.ssocircle.com/</a>
and coming soon at <a class="moz-txt-link-freetext" href="http://openid.sun.com/">http://openid.sun.com/</a>
</pre>
</blockquote>
<pre wrap=""><!---->1. IDP metadata sufficiency
So I tried to do some interworking with the IDP at ssocircle.com, using
its published metadata. I could NOT complete the setup because there was
no certificate in the metadata. As Im a relying party, don't I need a
SSOCircle certificate to verify its SSO assertions (received over
redirect)?
- <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com">"http://idp.ssocircle.com"</a>>
- <md:IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:ArtifactResolutionService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/ArtifactResolver/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/ArtifactResolver/metaAlias/sso
circle"</a> index="0" isDefault="1" />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAlias/ssoci
rcle"</a>
ResponseLocation=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/IDPSloRedirect/metaAli
as/ssocircle"</a> />
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/IDPSloSoap/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/IDPSloSoap/metaAlias/ssocircle
"</a> />
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAlias/ssoci
rcle"</a>
ResponseLocation=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/IDPMniRedirect/metaAli
as/ssocircle"</a> />
<md:ManageNameIDService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/IDPMniSoap/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/IDPMniSoap/metaAlias/ssocircle
"</a> />
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</m
d:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md
:NameIDFormat>
<md:SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location=<a class="moz-txt-link-rfc2396E" href="http://idp.ssocircle.com:80/sso/SSORedirect/metaAlias/ssocircle">"http://idp.ssocircle.com:80/sso/SSORedirect/metaAlias/ssocircl
e"</a> />
</md:IDPSSODescriptor>
</md:EntityDescriptor>
</pre>
</blockquote>
I don't run SSOCircle, but I passed this on to <a
href="http://www.ssocircle.com/about.shtml">Hu Liu</a>, who does (Hu
does? :-) ).<br>
<blockquote
cite="mid:18498B6C4F691545B050D6A531BA449502B23578@rapmsg02.rapnt.com"
type="cite">
<pre wrap="">2. Multi-Protocol Brokering
Now to the fun part - with OpenID involved.
If my multi-protocol-capable OP site receives an OpenID Authentication
[Request] message, Im intending that this is translated into an
SP-initiated WebSSO Request. This Assertion Request will be tagged with
the name of my "OP-SAML2-broker-entityID" (a term I just made up, for
want of knowing a better one).
The idea is that upon receipt of the SAML2 message, my SAML2 IDP will
message switch the request to one of the several other IDPs that it
knows about, in its inter-IDP trust model. This [de]multiplexing switch
will route the flow through the metadata-driven trust fabric, based on
the "OP-SAML2-broker-entityID".
</pre>
</blockquote>
I think this is possible right now with OpenSSO and its OpenID
extension - OpenID RP -> [OpenID OP/SAML2 SP] -> SAML2 IdP.
AFAICS, the trick would be in configuring it so that, for instance, an
OpenID authN request for you might go to idp.rapattoni.com and an
OpenID authN request for me would go to idp.sun.com.<br>
<br>
Paul B - are you there? Thoughts?<br>
<blockquote
cite="mid:18498B6C4F691545B050D6A531BA449502B23578@rapmsg02.rapnt.com"
type="cite">
<pre wrap="">3. Realty's meta-data Repository
Organized Realty already has a standard for specifying, handling and
querying (realty-related)information on the basis of metadata. The
standard is at rets.org. And, several metadata-aware user agents exist
and are widely adopted, to exploit this intelligence.
The fun part is now to somehow technically coordinate the OpenID world,
the SAML2 metadata, and the Realty metadata repository so there is a
standard way for inter-IDP-switching logic to build an instance of a
trust fabric - in much the same way that high-end internet router cards
on a backplane can upload pre-processed flow tables into their FPGAs.
</pre>
</blockquote>
This indeed would be the identity meta-system :-)<br>
<br>
There is some early thinking around this:<br>
<ul>
<li>ISSO: <a class="moz-txt-link-freetext" href="http://wiki.xdi.org/moin.cgi/IservicesSpecs">http://wiki.xdi.org/moin.cgi/IservicesSpecs</a><br>
</li>
<li>Almost an ISSO demo:
<a class="moz-txt-link-freetext" href="http://blogs.sun.com/superpat/entry/yadis%2Fxri_identifier_resolution_with_saml">http://blogs.sun.com/superpat/entry/yadis%2Fxri_identifier_resolution_with_saml</a></li>
<li>Concordia: <a class="moz-txt-link-freetext" href="http://wiki.projectliberty.org/index.php/Concordia">http://wiki.projectliberty.org/index.php/Concordia</a></li>
</ul>
I think a lot of disparate technical details are in place for this - a
concrete real-world use case might be just what it needs to push it all
forward...<br>
<br>
Cheers,<br>
<br>
Pat<br>
<pre class="moz-signature" cols="72">--
Pat Patterson - <a class="moz-txt-link-abbreviated" href="mailto:pat.patterson@sun.com">pat.patterson@sun.com</a>
Federation Architect,
Sun Microsystems, Inc.
<a class="moz-txt-link-freetext" href="http://blogs.sun.com/superpat">http://blogs.sun.com/superpat</a>
</pre>
</body>
</html>