Tuesday, February 13, 2007

Disconnected Identity

Conor is silent on his key contribution to the Liberty Alliance Advanced Client specifications, the first public draft of which is now available.

A key driver of Advanced Client functionality are so called 'disconnected' use cases. From the overview:
The Advanced Client will operate in multiple modes of operation based upon the parties that it is interacting with. The modes are differentiated by the connectivity level of the various actors within a transaction. The two primary modes of operation that we are concerned with here include:
  • Connected - the Advanced Client is fully connected to the network and generally all parties to a transaction could communicate with each other if necessary. In this mode, the Advanced Client can choose to act as a simple facilitator of the actual operation or for various reasons (such as privacy, load balancing, etc.) the Advanced Client can take a more active role, providing delegated authentication and/or web services.
  • Disconnected - the Advanced Client does not have connectivity to one or more parties in a transaction (such as not having connectivity to the IdP during an authentication transaction). This mode limits the Advanced Client to delegated services and can restrict the availability of services exposed directly by the Advanced Client.

Similar to Cardspace, Advanced Client enables use cases in which a client can present identity claims to an SP without a 3rd-party IDP being directly involved but, importantly, also supports a model in which the client can act as an extension of an IDP, with rights for making claims delegated to it by that IDP.

No comments: