Wednesday, December 20, 2006

OpenID and Cardspace (and a smidgen of SAML)

Drummond follows up on a comment from Microsoft's Mike Jones on the potential of OpenID and Cardspace integration.
In response to your question “How can we help each other?”, the first step to me seems to be for the OpenID providers to allow people to sign into their OpenIDs with InfoCards, rather than username/password. Then OpenID users will automatically gain all the benefits of the CardSpace user experience ceremony.
If Chuck Mortimer's proof-of-concept is OpenID within Cardspace, then this scenario (i.e. using Cardspace to authenticate to an OpenID IDP, at the behest of an OpenID RP, such that the OpenID IDP is a Cardspace RP) is OpenID followed by Cardspace - a weaker form of integration (and one of course possible with any other SSO system like SAML, as hilited by Ping).

As I see it, the defining characteristic of both OpenID and Cardspace is how identity persona selection occurs. In the default (but not only) OpenID sequence, the user selects which persona to present to the RP by providing the appropriate URI at the RPs' prompt. In Cardspace, the RP indicates its requirements and Cardspace displays a list of candidate cards, from which the user then selects. Both are selection operations, but differing in where they occur.

So, would integrating Cardspace and OpenID in this manner imply the user having to select a persona twice, e.g. something like the below
  1. User visits OpenID RP
  2. OpenID RP prompts for OpenID
  3. User selects persona and provides corresponding URI
  4. OpenID RP directs User to OpenID IDP
  5. OpenID IDP invokes Cardspace for authentication
  6. Cardspace displays candidate cards
  7. User selects from list, maybe signs into card
  8. Cardspace authenticates User to OpenID IDP
  9. OpenID IDP directs User back to OpenID RP with assertion
or would the OpenID IDP be able to express its requirements so uniquely (just authentication) that no card selection (Step 7 above) would be necessary? (I've never actually seen a demo of Cardspace used solely for authentication so have no experience with this part of the 'ceremony').

1 comment:

James McGovern said...

How about suggesting that they collectively work together and build a reference implementation into an open source portal so that it demonstrates OpenID and Cardspace. I suggest Liferay