This week at Internet Identity Workshop 2006b I've been demonstrating some work I've been doing to combine YADIS/XRI Identifier Resolution (as in OpenID) with SAML 2.0 Web Browser SSO Profile. The user experience is:
- I go to a service provider (relying party)
- I enter my identifier (URL or i-name)
- I authenticate at my identity provider
- I can access services at the service provider
The magic takes place between steps 2 and 3: the service provider resolves the user's identifier, which might be a URL or an i-name, to the location of a SAML 2.0 identity provider. The service provider can now do vanilla SAML 2.0 with the identity provider. The easiest way to see what's going on is via a demo, so, here you go:
Click to view Flash presentation
By the way - the service provider is implemented on top of Project Lightbulb. I need to do some tidying first, but I'll put the YADIS/XRI code there soon.
UPDATE - coverage of this demo at IIW2006b:
- Lightbulb: Bringing SAML to PHP
- Internet Identity Workshop demonstrations steal the show - nice pic on this one. Left-to-right we have Doc Searls, my good self, Shin Adachi and JP Rangaswami.