On 2/9/10 6:06 PM, Scott Cantor wrote:
Joost Van Dijk wrote on 2010-02-09:
As for the mappings between OpenID and SAML/A-Select - these are fairly simple. No policy mappings of any kind, just authentication and some attribute mappings.
If you want me to elaborate more on these gateways, please let me know.
I'd be interested to know how and whether you harmonized identifiers. Did you just force everything into OpenID/URL syntax for user identification, or do applications handle different identifier types?
-- Scott
We basically made a one-to-one mapping between OpenID URLs and a combination of SAML entity ID / subject. As these can get rather ugly, we also tried a more static mapping with the IDPs domain name and it's user's uid. In this scheme, a user presenting an OpenID URL like https://openid.surfnet.nl/myuniversity/john would be redirected by the RP first to our gateway, then to the SAML IDP mapped from 'myuniversity', where the user needs to authenticate as 'john'. After returning on the gateway, before being sent back to the RP, it is checked that it was actually john who logged in. We're still experimenting with alternatives. One extreme is to forget about all SAML attribute mapping to OpenID's sreg or AX, use OpenID 2.0's identifier select feature to circumvent the OpenID URL mapping problem and release privacy-preserving obfuscated URLs to RPs. This would of course limit usefulness somewhat, but avoids a lot of the hairiness... both protocol-wise and policy-wise. -- Joost