RE: [security-services] Comment on sstc-saml-glossary-2.0 (also closes AI #0114)

[Scott Cantor <cantor.2@osu.edu>]

> Agreed, many different identifiers can express federated identity so it is
> not clear what is meant by "7.3.6 Federated Identifier". 
> Perhaps this should be "Persistent Privacy Preserving Identifier" or
> "Persistent Pseudonym" ? 

Roughly yes. I think that's what is relevant there.

> I have no issue with this approach. The only thing somewhat unclear to me
> is how the <AuthNRequest, AuthResponse> pair is used for establishing a
> identity federation for a particular principal. Maybe I just need to read
> section 3.4 carefully.

The chief difference between ID-FF and my proposed protocol is that it does
not contain semantics for creating one. I can tell the IdP that I want a
particular kind of identifier, and persistence is certainly one property of
various kinds we have. It's the IdP that recognizes the relationship it may
have with the requester for that principal, or the IdP can create such a
relationship, subject to policy and consent, etc.

The SP can then participate in or ignore that relationship, but it never
puts anything in an AuthnRequest that distinguishes between an existing one
and a new one. I have not seen a need to make that distinction in the spec.

-- Scott