OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OpenID SimplePermissions and SAML constrained delegation

At the last IIW, I learned about an OpenID extension that the BYU  
folks have created for what they call "SimplePermissions" -- a means  
of doing constrained delegation by exploiting the fact that you pump  
an identifier into the RP to get things rolling.  Here's more info:


The basic idea is that the OP has a record of delegation policies for  
its subjects (e.g., I set up a rule saying Brian can act as me), and  
when Brian goes to an RP, he supplies *my* OpenID, then logs in as  
*himself* when he gets redirected.  There are some limitations on how  
far you can take this (how many "proxy" hops) and some variations on  
how to accomplish it (e.g. using directed identity such that Brian has  
to supply my ID in a special interface at the OP rather than at the  
RP), but it pretty much layers thinly on top of the vanilla OpenID  
Authentication protocol.

For full delegation, the RP doesn't have to do much that's special.   
The OP hands it info about both identities in play (Brian's as an  
ordinary name/value pair -- an "attribute" -- so the RP can properly  
log the delegate's access, and mine as the main subject).  For any  
kind of finer-grained access, e.g. read vs. write or read this  
resource vs. that one, the RP can indicate its universe of access  
options as simple keywords in some fashion (I'm relating all this from  
memory -- will have to check with the docs linked above to see if I  
got this right).

In previous discussions we never really saw a browser SSO delegation  
profile all the way through.  Shib got as far as this:


And the grid community does this with web services use cases (a  
simpler form of what ID-WSF is doing with its WS-Sec profiles?):


Is there any interest in tackling the user/browser side of all this  
for SAML in an OpenID SimplePermissions-like fashion?  Is there value  
in standardizing a modular "assertion profile" (for use with various  
scenario-based profiles) for holding the delegation info?  My interest  
is just academic, but at the risk of starting a perma-thread I thought  
I'd ask all of you folks what you think.  If someone has a burning  
need for something like this, and if none of the other existing  
profiles suffice, I figured now is a good time to consider the  
proposition and potential owners.


Eve Maler                                         +1 425 947 4522
Principal Engineer                            eve.maler @ sun.com
Business Alliances group                    Sun Microsystems, Inc.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]