Sunday, December 16, 2007


Ben is thinking about discovery.
when I first arrive at a site, how does it know who I’ve chosen to be my IdP? When I turn up at Unicorns-R-Us, how do they know that they should go to Amazon to verify that I’m logged in and that I’m the same guy as shopped there last time?

This question is, of course, the question of IdP discovery, and although we’re not worrying about it much right now (at least in the user-centric world - I know Liberty has worried about it forever), I predict that we’ll be worrying about it a lot, Real Soon Now.
It's true that the Liberty Alliance did spend time on this sort of discovery, that where an RP determines the place where the user can be authenticated. It was in ID-FF that the 'common domain cookie' discovery mechanism that SAML 2.0 now standardizes was first defined (after ID-FF was submitted as input).

These days however, Liberty doesn't spend much time thinking about this sort of IDP discovery.

For Liberty, discovery now primarily refers to Unicorns-R-Us, once given an authenticated user through (likely) SAML SSO, determining where the various identity attributes (e.g. profile, calendar, geolocation, social, etc) of that authenticated user can be found. It is through the user's Discovery Service (a sort of personalized identity search engine) that Unicorns-R-Us is able to find these various services, as well as obtain security tokens that can be used to authenticate to those services.

For the most part, Liberty ID-WSF defers to the SSO protocol that precedes it (with the link between the two worlds known as the bootstrap) to deal with the type of IDP discovery Ben is interested in.

No comments: