Federated Authorization

Hallam-Baker, Phillip pbaker at verisign.com
Thu Jan 18 17:08:42 UTC 2007 

The SAML specification is designed to target this precise set of requirements, it has widespread support amongst vendors who support enterprise class products.
 
If you want to have a third party accreditation of a statement such as 'Dr Cripps is a licensed medical practitioner' it is going to be exceptionally hard to persuade them to use any format other than either an X.509v3 attribute assertion or a SAML assertion. From my point of view X.509v3 attribute assertions are not very interesting as they bind the statement to an X.509v3 key certificate and thus a public key and not the entity that is certified. This ties the whole system to X.509/PKIX as the authentication infrastructure.
 
You can certainly use SAML in conjunction with an OpenID authentication mechanism. As far as SAML is concerned all that it cares about is that it has an identifier to bind to.
 
I don't think that the OpenID group wants to do the level of architecture that would be required to address authorization either. To make a statement of the type you suggest requires detailed consideration of the legal and liability issues. SAML is designed to address these, that is why it has the Audience constraint and is one motivation for the constraint mechanism.
 
 
The pieces SAML lacks are standard mechanisms for discovery and standard identifiers. These would not be at all hard to define. Define the identifier to be a URI and instantiate an SRV based discovery mechanism.
 


________________________________

	From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf Of McGovern, James F (HTSC, IT)
	Sent: Thursday, January 18, 2007 11:52 AM
	To: specs at openid.net
	Subject: Federated Authorization
	
	

	I would love to see folks hear that also blog not only continue to discuss federated identity but also consider of the course of several additional postings also talk about the need for federated authorization. Consider an example where a Doctor in a hospital is having an electronic interaction with a healthcare insurance provider. The hospital should be the identity provider while the entity that licensed the Doctor for given sets of practices should be responsible for certain forms of authorization.

	If we only talk about identity without authorization, the conversation will result in lots of great software where folks who create them won't make any money since consumer-centric interactions have volume without corresponding revenue. 

	
	
	*************************************************************************
	This communication, including attachments, is
	for the exclusive use of addressee and may contain proprietary,
	confidential and/or privileged information. If you are not the intended
	recipient, any use, copying, disclosure, dissemination or distribution is
	strictly prohibited. If you are not the intended recipient, please notify
	the sender immediately by return e-mail, delete this communication and
	destroy all copies.
	*************************************************************************
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20070118/076304d3/attachment-0002.htm>

More information about the specs mailing list