57 Varieties of Identifier-based Authentication

less than 1 minute read

Johannes posts about the ongoing work on exploring the synergies between SAML and OpenID in an entry titled Eve and Pat, SAML and OpenID. It’s worth reading to get an idea of just how things are coming together. One correction, though, Johannes - you give a table of identifier-based authentication flavours, but you left an important one out. Here is a fuller version:

Of course, the magic of Yadis makes this all very transparent to the user, but, I wonder, how do IdPs and SPs decide which flavour they prefer?



Johannes Ernst

Excellent question. In the short term: it’s up to the relying party (in most cases, because it initializes the redirect dance). In the longer term, I wouldn’t be too surprised if IdP announced different “service levels” for, say, different $$$, such as: “dear relying party, we are willing to confirm to you that the user used their hardware fob and did a voice print, but that will cost you $0.50 per transaction. If you are satisfied with our confirmation that the user used username and password, that will be free.” Then a business case determines what should be used for what purpose.


You misunderstand me, Johannes. The options you describe (different authentication mechanisms) all have value in their various settings - username/password, hardware tokens, smartcards, biometrics. What I’m wondering about are all the different syntaxes for conveying this information from IdP to RP.

Leave a Comment

Your email address will not be published. Required fields are marked *