57 Varieties of Identifier-based Authentication
Johannes posts about the ongoing work on exploring the synergies between SAML and OpenID in an entry titled Eve and Pat, SAML and OpenID. It’s worth reading to get an idea of just how things are coming together. One correction, though, Johannes - you give a table of identifier-based authentication flavours, but you left an important one out. Here is a fuller version:
- with OpenID Authentication (which is light-weight, Diffie-Hellman key exchange-based)
- with LID/GPG Authentication (which is light-weight, public key-based)
- with SAML ‘Lightweight’ (which is only a little bit heavier and uses a simple ‘blob’ signature)
- with SAML (which is a bit heavier and uses XML Signatures)
Of course, the magic of Yadis makes this all very transparent to the user, but, I wonder, how do IdPs and SPs decide which flavour they prefer?
Comments
Johannes Ernst
Excellent question. In the short term: it’s up to the relying party (in most cases, because it initializes the redirect dance). In the longer term, I wouldn’t be too surprised if IdP announced different “service levels” for, say, different $$$, such as: “dear relying party, we are willing to confirm to you that the user used their hardware fob and did a voice print, but that will cost you $0.50 per transaction. If you are satisfied with our confirmation that the user used username and password, that will be free.” Then a business case determines what should be used for what purpose.
Pat
You misunderstand me, Johannes. The options you describe (different authentication mechanisms) all have value in their various settings - username/password, hardware tokens, smartcards, biometrics. What I’m wondering about are all the different syntaxes for conveying this information from IdP to RP.
Leave a Comment
Your email address will not be published. Required fields are marked *