Re: Requiring Pseudonymous Identifier

Tue, 12 May 2009 03:39:13 -0700

there are telco use cases where a family member, by dint only of 'subscriber authentication' to the IDP/OP, is able to access shared resources (e.g. family calendar) at an SP/RP.
Unlike in Chris's academia case the OP/IDP is itself unable to distinguish a particular user from amongst other group members based on this sort of authentication. 


To allow the SP to indicate  back to the IDP that it needed a user 
authenticated as an individual (to allow for instance the RP to show 
calendar events associated with the user and not shared amongst the 
group) in SAML we defined an extension to Authn Context to distinguish 
between such shared credentials and those that are unique to a single user.


http://docs.oasis-open.org/security/saml/SpecDrafts-Post2.0/sstc-saml-context-ext-sc-cd-03.pdf

paul

Chris Messina wrote:

On Tue, May 12, 2009 at 10:55 AM, Dick Hardt <[email protected] 
<mailto:[email protected]>> wrote:



    On 12-May-09, at 1:36 AM, Nat Sakimura wrote:


        Reason for using RP's Subject in XRD instead of simply using
        realm is
        to allow for something like group identifier.


    would you elaborate on the group identifier concept?



I'm not sure what Nat is specifically referring to, but there was a US 
academic institution that provided OpenIDs for "classes" of people... 
i.e. students, teachers, etc.



When you signed in for certain application, the OP would respond with 
the appropriate identifier for a class of users.



So, imagine I use directed identity in a school application... when I 
sign in to the OP, it will return something like 
schoolname.edu/student <http://schoolname.edu/student> as the identifier.



You could imagine something similar where you could use authentication 
as a way to verify that someone comes from some geographic region or 
has previously registered for certain entitlements.


Chris

--
Chris Messina
Open Web Advocate


factoryjoe.com <http://factoryjoe.com> // diso-project.org 
<http://diso-project.org> // openid.net <http://openid.net> // 
vidoop.com <http://vidoop.com>

This email is:   [ ] bloggable    [X] ask first   [ ] private
------------------------------------------------------------------------

_______________________________________________
specs mailing list
[email protected]
http://openid.net/mailman/listinfo/specs

  

_______________________________________________
specs mailing list
[email protected]
http://openid.net/mailman/listinfo/specs






















					Reply via email to