[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Identity Federation
There isn’t any one
defined way of doing this. However, the more typical case is: ·
User visits SP and
performs some transaction that requires authentication (e.g. goes to check
out). On the authentication tab, user indicates that she wants to use her
IdP to authenticate her (how she indicates this varies greatly from the OpenID
style of typing in your IdP to what I refer as the scarab approach –
having a button on the login screen saying ‘Use my xxx Identity here’). ·
SP redirects user to
IdP for SSO authentication ·
IdP authenticates
user (or takes advantage of existing session if the user previously
authenticated within the same browser session) ·
IdP may prompt user
for permission to “federate” user’s identity to SP at this
point depending upon privacy settings. ·
IdP redirects user
to SP with a SAML response including identity for user at SP (assigned by IdP). ·
SP, seeing that
identity for the first time asks user: Hey, I haven’t seen this
identity from IdP before. Do you want to associate it with an existing
account or do you want to start a new account? ·
If user selects “existing
account”, SP prompts for existing SP local authentication credentials so
that the IdP identity can be bound to the user’s identity at the
SP. If the user selects “new account” the SP creates a
new account for the user. ·
The SP may
(especially in early days of federation) choose to maintain local credentials
for users so that they can access their account should the IdP not be
available. However, I expect that over time the SPs will move away from
feeling the need to do this. Of course, this sequence can
happen in many way and many different options (e.g. user goes to IdP, selects
SP from list at IdP and IdP pushes user to SP with an unsolicited SAML response
– a push SSO to the SP that is commonly used in Portals). Conor From: Filipa Moura
[mailto:filipa.moura@alert.pt] Hello, i’ve read the Identity Federation specification on http://www.oasis-open.org/committees/download.php/22553/sstc-saml-tech-overview-2%200-draft-13.pdf
-> 2.3 Identity Federation Use Case) but I have some questions about
the flow.. could you help me ? Is it like this: IdP -> User
“john” logs in SP -> User
“jpf” logs in SP -> Asks “jpf”
to consent identity with IdP SP -> “jpf”
replies yes and is redirected to the IdP IdP -> Creates a new
pseudonym for “john” (how?) (for example, pseudonym is ABC) IdP -> stores the
information that “john” is also “ABC” IdP -> redirects user to
SP and sends an SAML <Assertion> with the pseudonym “ABC” SP -> receives the
<Assertion> and extracts the pseudonym SP -> stores the
information that “jpf” is also “ABC” Is this right? If not, how should it be done? Thank you Filipa
Moura |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]