Monday, April 30, 2007

OpenID bootstrap to ID-WSF

In last week's Brussel's IOS session called 'Metasystem - Slice & Dice', the group identified that a meaningful piece of work towards a 'Concordic' (love the word, I'm even using it to scold when my kids fight) metasystem would be to define the 'OpenID bootstrap to Liberty Alliance ID-WSF' (the scenario diagrammed here).

So what would this entail?

OpenID is (primarily) a front-channel SSO system, ID-WSF is (primarily) a back-channel attribute sharing system. The work being proposed would define how you segue from the former to the latter, e.g. how an OpenID RP, once an authenticated OpenID user has arrived, can transition into the ID-WSF world in order to discover and obtain other identity attributes of the user (this seen as an alternative mechanism to having the attributes delivered inline through the OpenID protocols).

To play in the ID-WSF world, the RP needs two things:

- the SOAP endpoint at which the relevant user's Discovery Service is located. The Discovery Service is like a personalized search engine for identity attributes. It's the Discovery Service that will be able to tell the RP where the user's various identity attributes (e.g. profile, calendar, presence, geolocation, wallet, social, VRM, etc) are located.
- a security token that, if presented to the Discovery Service, will serve to identify both the user in question and the RP asking the question (so that permissions can be applied).

In Liberty's architecture, the container for the above pieces of information (there are other bits as well) is an <EndPointReference>, an XML data structure defined by the W3C's WS-Addressing spec.

If an OpenID RP can obtain the EPR for the user's Discovery Service, then it has the necessary information and credentials to start participating in the ID-WSF world because, with the DS EPR, it can search for and retrieve the EPRs of other identity services (like calendar, etc) that it is ultimately interested in.

So, the challenge for connecting OpenID and ID-WSF is 'simple', define how the OpenID RP can obtain the DS EPR and, so armed, start discovering and invoking the identity services of interest. Liberty has always referred to this step as the bootstrap, and so the title of this post.

In our Brussels' IOS session, we discussed two broad options for making this work.
  1. Having the OpenID protocol response carry (in an extension) a URI at which the DS EPR could be retrieved.
  2. Having the DS EPR available as part of the user's Yadis document.
The first is aligned with how the existing bootstrap from SAML SSO works, the second perhaps more consistent with the existing OpenID model. More later on the pros/cons of each.

No comments: