Andy Powell wrote:
>> Quite. Or you end up forcing them to use a particular OpenID
>> Provider, which kind of defeats the point of OpenID.
>>
>
> But...
>
> Whatever technology we adopt, we need some kind of formalised, managed
> 'federation' - a set of rules for taking part. Agreed?
>
> Wouldn't an OpenID Federation, in which one of the roles of the
> federation managing agent would be to maintain a whitelist of OpenID
> providers that are 'within' the federation (and that can therefore be
> trusted by everyone else in the federation) make sense?
>
>
Serveral OpenID relying parties already use such a scheme on a per site
basis so it would not be hard to implement, but it can only work when
all the OpenID providers that are to be used are know, and OpenID
unlikeShibboleth has the potential for having a federation of thousands
of unrelated providers. By limiting the number of providers that can be
used wouldn't we be negating the usefulness of the technology as a
single logon technology that can be used throughout a users life.
> Not quite the fully de-centralised world of mainstream OpenID I agree -
> but a step towards the integration of things that are 'inside' and
> 'outside' the education community?
>
>
I personally believe that using OpenID as an authentication provider to
the existing infrastructure is perhaps a beter way of defining what is
inside and outside the education community e.g. when a student comes to
the university they are asked to register an OpenID account which is
then placed along with their other attributes in the universities
LDAP/Database and then can be used to log into the universities IdP in
the same manner that user name and passwords are used and the university
can then issue a SAML assertion containing the users SSO information.
Then when the user leaves the university this record is removed along
with all the users other attributes. This means that the university can
be the authoritive source of any attributes directly related to itself
and vouch for the users identity as it has preregistered the OpenID as
belonging to a user at registration.
Regards
George
> Andy
> --
> Head of Development, Eduserv Foundation
> http://www.eduserv.org.uk/foundation/
> http://efoundations.typepad.com/
> [log in to unmask]
> +44 (0)1225 474319
>
>
>> -----Original Message-----
>> From: Discussion list for Shibboleth developments
>> [mailto:[log in to unmask]] On Behalf Of Fiona Culloch
>> Sent: 10 December 2008 13:59
>> To: [log in to unmask]
>> Subject: Re: JISC OpenID Report
>>
>> Jon Warbrick wrote:
>>
>>
>>> ... and you (as a service operator) have to decide if you
>>>
>> are willing
>>
>>> to trust each user's chosen OpenID identity provider,
>>>
>> something which
>>
>>> in general you are not in a position to do.
>>>
>> Quite. Or you end up forcing them to use a particular OpenID
>> Provider, which kind of defeats the point of OpenID.
>>
>> Fiona.
>>
>>
|