SLIDE 1
SAML 2.0 Terminology OpenID Terminology
Terminology
OpenID Consumer OpenID Provider OpenID Identity
SAML 2.0 Service Provider SAML 2.0 Identity Provider
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no - - PowerPoint PPT Presentation
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no - - PowerPoint PPT Presentation
Bridging OpenID and SAML 2.0 Andreas kre Solberg andreas@uninett.no Terminology OpenID Terminology OpenID OpenID OpenID Consumer Identity Provider SAML 2.0 Terminology SAML 2.0 SAML 2.0 Service Provider Identity Provider What is
SLIDE 2
SLIDE 3
Your identity - is your web site URL! http://rnd.feide.no is my OpenID identity.
- You can control over what you put on that URL.
- The URL is globally unique.
- It is one aspect of your identity.
What is your OpenID?
SLIDE 4
OpenID is centric around the user, not centric around a specific IdP or federation. OpenID consumers works with all possible OpenID providers - no need for trust relationship in advance - basicly consumers does not have to trust the provider, they trust the user! The user can switch to another IdP at any time...
User centric
SLIDE 5
There is no trust in OpenID. A site can never really know who you are - instead the site can know that you are the very same person that registered an account.
No trust?
SLIDE 6
World wide services where everyone can create "anonymous" accounts, but there is a need to protect the account with credentials: as yahoo, aim, flickr, facebook, digg, technorati ++
(world wide and too large to possibly join every possible federation out there)
Lightweight accounts: comments on blogs, public wikis, polls etc.
(too small to join a complex SAML2.0 federation)
Target group: services
SLIDE 7
OpenID is "open".
- No federation
- Anyone can become an OpenID consumer (Service)
- Anyone can become an OpenID provider (IdP)
- All OpenID providers can authenticate users for all
consumers (no groups/federations/circles of trust) - just one big network where everyone is connected...
The open in OpenID
SLIDE 8
Why introduce OpenID in our closed but happy federated environment?
- Convinient for users! Many more services
increases the usefullness of federated SSO.
- These services would never be SPs.
- It is not a competing technology - it will be an
extension to our federations. We don't replace SAML with OpenID, we extend with OpenID.
Why?
SLIDE 9
Independent
Not bound to specific vendor.
Simple
The spec is only a few pages.
Why OpenID?
SLIDE 10
On the OpenID address web site, you add some meta headers about your OpenID provider:
How does it work
This is an abstraction layer that allows you to switch Identity Provider re-using the same OpenID identifier.
SLIDE 11
When you visit an OpenID consumer, you are asked about your OpenID URL:
How does it work
Then the consumer contacts that URL, extract the
- penid meta headers, and now have the address of
the OpenID provider.
SLIDE 12
There is two modes: smart mode and dumb mode Smart mode is for consumers that can keep state. Dumb mode is for consumers that are stateless.
Two modes
SLIDE 13
Shared key is exchanged in advance using DH in the associate() call.
Smart mode
OpenID Consumer OpenID Provider OpenID Identity UA
- 1. lookup()
- 2. associate()
- 3. Send checkid_setup
- 3. checkid_setup
(4. authenticate)
- 5. response
- 5. response
SLIDE 14
Shared key is exchanged in advance using DH in the associate() call.
Dumb mode
OpenID Consumer OpenID Provider OpenID Identity UA
- 1. lookup()
- 6. check_authenticated()
- 3. Send checkid_setup
- 3. checkid_setup
(4. authenticate)
- 5. response
- 5. response
SLIDE 15
Shared key is exchanged in advance using DH in the associate() call.
OpenID <-> SAML 2.0
OpenID Consumer simple SAMLphp OpenID Identity UA
- 1. lookup()
- 6. check_authenticated()
- 3. Send checkid_setup
- 3. checkid_setup
- 5. response
- 5. response
SAML 2.0 IdP
- 4. AuthnRequest
- 4. AuthnResponse
SLIDE 16