OMG, Another Simple, Lightweight Authentication Service??? Keith Hazelton University of Wisconsin-Madison Internet2 MACE Jasig, Denver, 25 May 2011
BUT… (.org) Bamboo sites want to accept user authentication From SAML identity providers e.g. Univ. members of InCommon running Shib) And from Social Identity providers (e.g. Google, Yahoo, Facebook, OpenID,...) BUT…
But each week brings a cool new Social identity Service Developers know how to configure & run SAML Service and Resource Providers No free cycles for social development They don't want to give up that big federation win
is a green field project no legacy code our developers are eager to hear recommendations on good practices
Sad but true Gateways that convert social-identity-based authentication into SAML assertions are a necessary part of the picture given current state of affairs.
But Relying Parties (Bamboo sites) want control Control over the gateway operations E.g., "do not allow authN via FB” They will (initially at least) run their OWN Bamboo gateway.
Over time, that will mean LOTS of gateways
UNLESS We are able to agree on common solutions The SAML assertion from the Gateway must minimally include the following information Identifier for the gateway, identifier for the identity provider, identifier for the authenticated user The value of the user identifier for person A from a given IdP should be the same regardless of the gateway being traversed
UNLESS We are able to agree on common solutions Those pieces of information should be expressed as consistently as possible by different gateways Decisions are required on how attr/values appear in the app space Means forging community agreements on attributes and values for carrying that information Those recommendations are being developed as we speak
The Bamboo RPs should support discovery Helping the user specify their choice of IdP Keeps the existence of the gateway invisible to the user, so if gateways go away someday.... Application developers may not like this: “Why can’t the gateway do the discovery bit?”
The Bamboo app should not have to know anything about SAML or Oauth 1.0 or Oauth 2.0 or OpenID OpenID ABC or… The application developers don't care and should not have to care about the protocol
OK, expert, did Bamboo hear you correctly?