Extending OpenID Assertions with SAML+

From IIW

Issue/Topic: Extending OpenID Assertions with SAML+ (T4E)

Convener: Jay Unger

Notes-taker(s): Jay Unger

Greg Haverkamp   LBNL
Justin Richer    Mitre
Michael Barnes   PWC
David Dove       Judicial / CT
Zhihong Zhang    AOL
Nishant Kausmik  Oracle
Pamela Dingle    Ping Identity
Joel Schnee      AOL
Jay Unger        Independent Consultant

Tags for the session - technology discussed/ideas considered:

Attributes, SAML, OpenID extensions, OAuth extensions

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The session was scheduled to discuss what is being or might be done to provide a more comprehensive and robust attribute capability for OpenID.

Began with a statement of requirement for more comprehensive capabilities than are now included in OpenID Attribute Exchange Extension which currently supports a simple gets/sets model for textual attribute/value pairs.

Discussed required additional attribute capabilities including: content rules, typing, usage restrictions and some sort of attribute provenance and dependency information carried along with the attribute expression. Provenance information should include information about both the source of the information (attribute provider) and the methods used for proofing/vetting the accuracy and authority of the assertion. Dependency information should explicit call out what other attributes were depended upon as pre-cursor to an attribute.

The use of SAML Attribute assertions (with extensions to support provenance and dependency information) was briefly discussed in the context of possible extensions to OpenID.

Several participants offered that there are a few other mechanisms that can be integrated with OpenID Authentication that provide some additional functionality:

Another OpenID extension called Artifact Binding (http://wiki.openid.net/OpenIDwithArtifactBinding) was mentioned as means for supporting a attribute exchange that contains a large set (perhaps all) of the attribute associate with an authenticated claimant.

OAuth 2.0 was also mentioned as a means for extending OpenID and was cited as a general direction for extension of OpenID. OAuth provides a mechanism for out-of-band site to site authorization and data access using bearer tokens.

UMA – User Managed Access (part of the Kantara initiative) was also referenced as protocol for user-centric management of attribute (and services) access.

Webfinger was also mentioned as a means for discovering the IdP (or perhaps other service provider) that a users has affiliated with.

In addition to these discussions there was a conversation about why several of the larger OpenID providers like AOL, Yahoo, Google etc. were presently not also operating as relying parties (RP) and allowing users to authenticate to their primary services (like AOL or Google mail) using another Identity Provider. The primary reason given was lack of any business incentive for these services to do this as it would in some way be viewed as ceding “ownership” of the user to another competing service. A representative from AOL stated that the technical means to do this had been implemented but not offered (at least not easily visible) because of this business concern. Others opined that some of the larger OpenID providers certain DID or were planning to act as RPs and permit “foreign” authentication transactions.

The discussion was a generally useful information and idea exchange.