Dennis' Weblog
Friday Apr 13, 2007
How to federate a user?
Someone asked this question. "How to federate a user?" Here is the sequence diagram.
- User visits the Service Provider the first time, he/she authenticates with the SP.
- Then SP presents a list of Identity Provider to user
- He/She chooses one of them and authenticate with it
- Name Identifier is created. Name ID is hide the real identity of user. For example, user is joesmith in SP and he/she is jsmith in IDP; and his/her name ID is xyz (xyz is only an illustration, name ID is much longer length-wise). He/She is only known to SP and IDP as xyz.
- IDP registers the name Id and SP ID; and then redirect the request back to SP
- SP registers the name Id and IDP ID.
This is only the beginning of Liberty/SAML ........
Posted at 12:35AM Apr 13, 2007 by justme in OpenSSO | Comments[3]
Posted by Nico on April 13, 2007 at 08:49 AM PDT #
Posted by Dennis Seah on April 13, 2007 at 10:16 AM PDT #
Well, some of us (think IETF Kerberos weenies) call this the Identity Selection problem. It crops up in many places. In general there is no solution and in the worst case the app has to ask the user; the app can cache the user's choices, and other things can be done, but in the end there is no way to fully automate Identity Selection.
Also, in a very large federation the scheme you describe bloats the SP's first reply to the client. I.e., there's a scalability issue. Hierarchical federation can help, of course, but ad-hoc federation is, no doubt, required to be supported, and probably even the prevailing deployment scenario. It may be simpler for the client to tell the SP about the IdPs that it can authenticate with so that the SP may then pare its list to just those that match, though this would probably create privacy issues.
Posted by Nico on April 15, 2007 at 11:20 PM PDT #