OpenID and SAML Convergence Touchpoints
From InternetIdentityWorkshop
Eve Maler and David Recordon led this session.
Contents |
What Does Convergence Mean?
We discussed what it could mean to "converge". One person observed that it would be okay not to literally converge, as long as identity providers pick up the slack in becoming multi-protocol so that a relying party can just interact with them with the expectation that it can be spoken to in its preferred language. But others preferred convergence where possible, so as not to have to worry about the complexity of multiple technology stacks. Interoperability is to be preferred even where convergence is impossible, though. We described these increasing levels of compatibility (note: Eve applied these labels after the fact! please revise if you feel other terms would be appropriate):
- Nothing: No compatibility whatsoever, driven by completely independent design processes uninformed by each others' work
- Equivalence: Canonical ways to transform data and processes from one system to another as necessary
- Compatibility: Bridge technologies that assist the use of the two systems together, which might "flow" in one direction or both directions
- Convergence: Arriving at a single solution where previously there were multiple solutions
We listed a number of areas of potential interest, and by a show of hands indicated the level of interest. Those areas with 10 or more hands raised were "high", those with 5-9 were "medium", and those with less than 5 were "low". It should be noted that our discussion ranged across OpenID and SAML, as well as Liberty ID-WSF (identity web services framework).
High-Priority Touchpoints
- SSO: The single sign-on philosophy and use cases shared by the two
- SLO: The single logout philosophy and use cases SAML can offer
- Identifier format: Part of OpenID's essence, but something SAML is agnostic about
- Assertion transformation: How to convert between OpenID and SAML assertions, if possible
- Discovery: Part of OpenID's essence, but something for which SAML provides several (weaker) options
- Trust model: The differing assumptions between the two about who trusts whom and how
- Privacy-preserving pseudonyms: The use cases for pseudonymity shared by the two
- User experience: Addressed today by OpenID but not (much) by SAML or Liberty
- Communications channels: How data flows and the security considerations of each mechanism
- Attribute query and exchange: Ways of letting attributes flow, with privacy and policy in the mix
Medium-Priority Touchpoints
- Metadata: The differing metadata formats each provides for "provider" characteristics
- Bootstrapping into identity services: Provided by Liberty ID-WSF only for SAML, so far
- Identity services: General use cases as addressed by Liberty ID-WSF
- People Service: Shared use cases between the two for person-to-person federation
- Authn Context/Assertion Quality Extension: Describing the nature of authentication needed or done
Low-Priority Touchpoint
- Account link management: SAML's features for ongoing management of an account-linking federation
Next Steps
It was noted that the iSSO specifications provide a great starting point for defining one "compatibility" (bridging) technology, as demonstrated at this workshop by Pat Patterson: the use of i-name identifiers and their corresponding discovery and metadata features with a SAML authentication service. The suggestion was made to formalize and flesh out this spec.
Eve and Paul Madsen recently proposed a small SAML attribute profile for OpenID Simple Registration attributes that probably falls into the "equivalence" category. Dick Hardt has proposed a spec for signed assertions that involves SAML styles of representing attributes and assertions overall, which seems to fall into the "bridging" category.
The work on the Assertion Quality Extension (link is to draft 3) is an example of work a number of us hope will be in the "equivalence" category initially.
