Subject: OpenID SimplePermissions and SAML constrained delegation
At the last IIW, I learned about an OpenID extension that the BYU folks have created for what they call "SimplePermissions" -- a means of doing constrained delegation by exploiting the fact that you pump an identifier into the RP to get things rolling. Here's more info: http://wiki.eclab.byu.edu/index.cgi?SimplePermissions http://www.eclab.byu.edu/simplepermissions_techreport.pdf The basic idea is that the OP has a record of delegation policies for its subjects (e.g., I set up a rule saying Brian can act as me), and when Brian goes to an RP, he supplies *my* OpenID, then logs in as *himself* when he gets redirected. There are some limitations on how far you can take this (how many "proxy" hops) and some variations on how to accomplish it (e.g. using directed identity such that Brian has to supply my ID in a special interface at the OP rather than at the RP), but it pretty much layers thinly on top of the vanilla OpenID Authentication protocol. For full delegation, the RP doesn't have to do much that's special. The OP hands it info about both identities in play (Brian's as an ordinary name/value pair -- an "attribute" -- so the RP can properly log the delegate's access, and mine as the main subject). For any kind of finer-grained access, e.g. read vs. write or read this resource vs. that one, the RP can indicate its universe of access options as simple keywords in some fashion (I'm relating all this from memory -- will have to check with the docs linked above to see if I got this right). In previous discussions we never really saw a browser SSO delegation profile all the way through. Shib got as far as this: http://shibboleth.internet2.edu/docs/draft-cantor-saml-sso-delegation-01.pdf And the grid community does this with web services use cases (a simpler form of what ID-WSF is doing with its WS-Sec profiles?): http://www.cs.virginia.edu/papers/SAML_delegation.pdf Is there any interest in tackling the user/browser side of all this for SAML in an OpenID SimplePermissions-like fashion? Is there value in standardizing a modular "assertion profile" (for use with various scenario-based profiles) for holding the delegation info? My interest is just academic, but at the risk of starting a perma-thread I thought I'd ask all of you folks what you think. If someone has a burning need for something like this, and if none of the other existing profiles suffice, I figured now is a good time to consider the proposition and potential owners. Eve Eve Maler +1 425 947 4522 Principal Engineer eve.maler @ sun.com Business Alliances group Sun Microsystems, Inc.