The one statement Paul makes that I don’t agree with is this:
Were an IDP to use transient (as opposed to persistent pseudonymous) identifiers within a SAML assertion each time it asserted to a RP, then not only would RP’s be unable to collude with each other (based on that identifier), they’d be unable to collude with themselves (the past or future themselves).
I’ve been through this thinking myself.
Suppose we got rid of the user identifier completely, and just kept the assertion ID that identifies a given SAML token (must be unique across time and space - totally transient). If the relying party received such a token and colluded with the identity provider, the assertionID could be used to tie the profile at the relying party to the person who authenticated and got the token in the first place. So it doesn’t really prevent linking once you try to handle the problem of collusion.
Yes, but then we are no longer talking about 'RP/RP' collusion, in which (by my definition at least), the IDP stays pure and it is only the RPs that cross to the Dark Side. Bringing in the IDP changes everything (as Kim acknowledges by creating the separate 'RP/IP' correlation category.
Irving joins in (and he must be agreeing with me or I wouldn't link to him) to point out a Shib use-case. I was going to (smugly) point out how Sun used SAML/Liberty for enabling employee access to BIPAC as another example but, on digging a bit, it seems that they aren't using transient identifiers. I guess BIPAC wanted to provide employees continuity of service, e.g. no repeated questions like 'Are you now or have you ever been a member of the Communist Party?'