How to federate a user?

Someone asked this question. "How to federate a user?" Here is the sequence diagram.

  • User visits the Service Provider the first time, he/she authenticates with the SP.
  • Then SP presents a list of Identity Provider to user
  • He/She chooses one of them and authenticate with it
  • Name Identifier is created. Name ID is hide the real identity of user. For example, user is joesmith in SP and he/she is jsmith in IDP; and his/her name ID is xyz (xyz is only an illustration, name ID is much longer length-wise). He/She is only known to SP and IDP as xyz.
  • IDP registers the name Id and SP ID; and then redirect the request back to SP
  • SP registers the name Id and IDP ID.
Pretty Simple, right?

This is only the beginning of Liberty/SAML ........

Comments:

This is very similar to something called IAKERB. This is one aspect of federation that is interesting. Another interesting aspect: how to establish trust paths such that the SP knows about and can list to the client a given IdP. Yet another interesting issue: how the client can help the user select an identity to use in any given situation (this one is hard).

Posted by Nico on April 13, 2007 at 01:49 AM PDT #

The SP and IDP would have to be in the same circle of trust. So the SP knows it IDPs. Yes, user needs to select the IDPs and he/she does not know which one to choose :-). The problem can be resolved if there is only on IDP; and we can preselect the IDP for the user. (the default/preferred IDP)

Posted by Dennis Seah on April 13, 2007 at 03:16 AM PDT #

Well, some of us (think IETF Kerberos weenies) call this the Identity Selection problem. It crops up in many places. In general there is no solution and in the worst case the app has to ask the user; the app can cache the user's choices, and other things can be done, but in the end there is no way to fully automate Identity Selection.

Also, in a very large federation the scheme you describe bloats the SP's first reply to the client. I.e., there's a scalability issue. Hierarchical federation can help, of course, but ad-hoc federation is, no doubt, required to be supported, and probably even the prevailing deployment scenario. It may be simpler for the client to tell the SP about the IdPs that it can authenticate with so that the SP may then pare its list to just those that match, though this would probably create privacy issues.

Posted by Nico on April 15, 2007 at 04:20 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

justme

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
News
Blogroll
Blog friends

No bookmarks in folder