RE: Identity Federation

["Cahill, Conor P" <conor.p.cahill@intel.com>]

There isn’t any one defined way of doing this.  However, the more typical case is:

 

·         User visits SP and performs some transaction that requires authentication (e.g. goes to check out).  On the authentication tab, user indicates that she wants to use her IdP to authenticate her (how she indicates this varies greatly from the OpenID style of typing in your IdP to what I refer as the scarab approach – having a button on the login screen saying ‘Use my xxx Identity here’).

·         SP redirects user to IdP for SSO authentication

·         IdP authenticates user (or takes advantage of existing session if the user previously authenticated within the same browser session)

·         IdP may prompt user for permission to “federate” user’s identity to SP at this point depending upon privacy settings.

·         IdP redirects user to SP with a SAML response including identity for user at SP (assigned by IdP).

·         SP, seeing that identity for the first time asks user:   Hey, I haven’t seen this identity from IdP before.  Do you want to associate it with an existing account or do you want to start a new account?

·         If user selects “existing account”, SP prompts for existing SP local authentication credentials so that the IdP identity can be bound to the user’s identity at the SP.   If the user selects “new account” the SP creates a new account for the user.

·         The SP may (especially in early days of federation) choose to maintain local credentials for users so that they can access their account should the IdP not be available.  However, I expect that over time the SPs will move away from feeling the need to do this.

 

Of course, this sequence can happen in many way and many different options (e.g. user goes to IdP, selects SP from list at IdP and IdP pushes user to SP with an unsolicited SAML response – a push SSO to the SP that is commonly used in Portals).

 

Conor

 

From: Filipa Moura [mailto:filipa.moura@alert.pt]
Sent: Wednesday, April 22, 2009 4:23 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Identity Federation

 

Hello,

i’ve read the Identity Federation specification on http://www.oasis-open.org/committees/download.php/22553/sstc-saml-tech-overview-2%200-draft-13.pdf -> 2.3 Identity Federation Use Case) but I have some questions about the flow.. could you help me ?

 

Is it like this:

 

IdP -> User “john” logs in
IdP -> User “john” is logged

SP -> User “jpf” logs in
SP -> User “jpf” is logged
SP -> knows that the user has already visited the IdP (how does he know that the user has previously visited the IdP?)

SP -> Asks “jpf” to consent identity with IdP

SP -> “jpf” replies yes and is redirected to the IdP

IdP -> Creates a new pseudonym for “john” (how?) (for example, pseudonym is ABC)

IdP -> stores the information that “john” is also “ABC”

IdP -> redirects user to SP and sends an SAML <Assertion> with the pseudonym “ABC”

SP -> receives the <Assertion> and extracts the pseudonym

SP -> stores the information that “jpf” is also “ABC”

 

Is this right? If not, how should it be done?

Thank you

 

Filipa Moura