Re: Anyone seen xauth.org?

Mon, 19 Apr 2010 12:53:20 -0700

And to clarify Chris's reference to Liberty Alliance, Liberty's Discovery Service is more comparable to XRD - a service at which the RP can query the user's various services and locations, (and in Liberty, obtain security tokens for those discovered endpoints a la WRAP & WS-Trust)
The Liberty DS did not track current authn sessions like XAuth. And neither does/did SAML's Common Domain Cookie - it was meant to be a history of past authn sessions (so slightly less timely info) 

paul

On 4/19/2010 3:14 PM, Nate Klingenstein wrote:

Chris,


Here's the final specification for one of the models you're referring 
to, the Discovery Service.  It existed for many years prior to that as 
the "WAYF" -- "where are you from?" service, and it's the one with 
wide purchase in academia.



http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-idp-discovery.html 




The XAuth proposal seems also, on quick, distract glance, to have 
flavors of the "common domain cookie" in the original SAML specs, but 
that failed in deployment.



But most of the technical distinctions appear to me to built around 
the concept of integration with the user's session at the identity 
provider.  That would be radically different from what we've done thus 
far, which caches and maintains nothing more than the user's choice of 
identity provider; not even whether they're a legitimate user there.



It appears to place an enormous amount of power and centralization 
into the hands of the XAuth service.  We've always wanted the DS to be 
an independent, optional piece of infrastructure, not the central cog 
around which everything else rotates.


Interested to learn more, to see whether my initial reading here is off.
Nate.

On Apr 19, 2010, at 6:24 PM, Chris Messina wrote:


In fact, this model is widely used in academia and in Europe to 
simplify federated authentication.


_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs



No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 9.0.801 / Virus Database: 271.1.1/2820 - Release Date: 04/19/10 
02:31:00


   


--
Paul Madsen                       connectid.blogspot.com
NTT DATA AgileNet                 @paulmadsen
[email protected]
6138588647



_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs






















					Reply via email to