One-time Federation
I had a question today from a Sun contractor in Europe. He was asking how Liberty provides for federation where the user does not have an account at the service provider - the ‘SAML 1.1’ case. The answer is one-time federation, described in section 1.2 of Liberty ID-FF Protocols and Schema Specification. The spec says “service providers can […] request a non-persistent, one-time only, anonymous name identifier for the Principal.” You can search that PDF for ‘onetime’ to find out more.
While googling for this information (I find Google is the quickest way to find stuff hidden away in PDFs) I found a very useful document at Entrust - Liberty Example Scenario - Anonymous B2B - that does a great job of explaining exactly this scenario, including how the service provider can obtain more than just the one-time name identifier by using ID-WSF to request attributes or by pre-arranging for attributes to be present in the ID-FF assertion. Three cheers to Entrust for a very lucid description of one-time federation.
Comments
Paul Madsen
Hi Pat, I’m not quite sure that the Entrust folks know about that doc on their site! I created it to be part of the ID-WSF Implementation Guidelines, not sure how/why it got to Entrust’s public site. :-) I’ll notify the appropriate people and send you the link to the WSF IG if Entrust takes it down. I also wanted to add to your answer to the original question. If the SP doesn’t want the user to have an account, then this sort of ‘one time federation’ (although ‘federation’ has such persistent connotations) is, as you point out, the answer. If, on the other hand, it just so happens that the user doesn’t yet have an account at the SP, but is willing to establish one, then normal ‘persistent’ federation can still work, the user just creates an account during the federation process.
Leave a Comment
Your email address will not be published. Required fields are marked *