<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
And to clarify Chris's reference to Liberty Alliance, Liberty's
Discovery Service is more comparable to XRD - a service at which the RP
can query the user's various services and locations, (and in Liberty,
obtain security tokens for those discovered endpoints a la WRAP &
WS-Trust)<br>
<br>
The Liberty DS did not track current authn sessions like XAuth. And
neither does/did SAML's Common Domain Cookie - it was meant to be a
history of past authn sessions (so slightly less timely info)<br>
<br>
paul <br>
<br>
On 4/19/2010 3:14 PM, Nate Klingenstein wrote:
<blockquote
cite="mid:CA16AD3A-9CB3-496C-9EF7-C8B325F833C8@internet2.edu"
type="cite">Chris,
<br>
<br>
Here's the final specification for one of the models you're referring
to, the Discovery Service. It existed for many years prior to that as
the "WAYF" -- "where are you from?" service, and it's the one with wide
purchase in academia.
<br>
<br>
<a class="moz-txt-link-freetext" href="http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html">http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html</a>
<br>
<br>
The XAuth proposal seems also, on quick, distract glance, to have
flavors of the "common domain cookie" in the original SAML specs, but
that failed in deployment.
<br>
<br>
But most of the technical distinctions appear to me to built around the
concept of integration with the user's session at the identity
provider. That would be radically different from what we've done thus
far, which caches and maintains nothing more than the user's choice of
identity provider; not even whether they're a legitimate user there.
<br>
<br>
It appears to place an enormous amount of power and centralization into
the hands of the XAuth service. We've always wanted the DS to be an
independent, optional piece of infrastructure, not the central cog
around which everything else rotates.
<br>
<br>
Interested to learn more, to see whether my initial reading here is
off.
<br>
Nate.
<br>
<br>
On Apr 19, 2010, at 6:24 PM, Chris Messina wrote:
<br>
<br>
<blockquote type="cite">In fact, this model is widely used in
academia and in Europe to simplify federated authentication.
<br>
</blockquote>
<br>
_______________________________________________
<br>
specs mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:specs@lists.openid.net">specs@lists.openid.net</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
No virus found in this incoming message.
Checked by AVG - <a class="moz-txt-link-abbreviated" href="http://www.avg.com">www.avg.com</a>
Version: 9.0.801 / Virus Database: 271.1.1/2820 - Release Date: 04/19/10 02:31:00
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Paul Madsen connectid.blogspot.com
NTT DATA AgileNet @paulmadsen
<a class="moz-txt-link-abbreviated" href="mailto:paulmadsen@nttdata.com">paulmadsen@nttdata.com</a>
6138588647
</pre>
</body>
</html>