[Concordia] A wiki page for our IdP Discovery Problem educational materials

Paul Madsen paulmadsen at rogers.com
Tue Jan 22 09:21:32 EST 2008 

FYI, Liberty's Discovery Service typically does link discovery and trust.

When an Identity Requestor queries a user's Discovery Service (DS) for 
the location of some attribute (e.g. geolocation), the DS returns both

- the endpoint of the user's geolcoation service
- a security token (a SAML assertion) for the identity requestor to use 
at the above endpoint (thereby allowing the DS to broker trust between 
the requestor and the endpoint)

this is seen as an optimization of having the requestor perform two 
separate calls, one to discover, and another to get a security token

I do acknowledge that this type of service discovery is different than 
the more fundamental 'IDP discovery' problem.

regards

paul

Mikaël Ates wrote:
> Hi Josh,
>   
>> Discovery and trust path establishment are orthogonal. As an analogy, you can use TLS to estalish trust with a peer whose network address you have discovered using insecure DNS.
>>   
>>     
> In fact, in the process I described, the both are linked... The 
> discovery of the authority is the same as the discovery of the trust 
> path, and so, how to establish an indirect trust link. As an analogy, 
> TLS gives you signatures but does not say how you can trust a signature. 
> In a federation, maybe you have a common PKI, a white list of trusted 
> signatures, and if you rely on indirect trust, you can trust the trusted 
> parties of your trusted parties.
>   
>> IIRC, eduGAIN (like the Shibboleth profile) does not consider discovery to be in-scope.
>>   
>>     
> I do not know technical details of eduGAIN but I found this in the 
> eduGAIN deliverable DJ5.2.2:
> "Home Location Service, in charge of *locating the appropriate identity 
> repository at the home domain*"
> "An eduGAIN Home Location Request is a message sent via the federation 
> peering point to determine the home
> interfaces where an authentication or attribute request can be 
> satisfied, and to *establish trust among these
> interfaces and the requesting element*.
>
> Regards,
> Mikaël
>
>   
>> best regards, josh.
>>
>>   
>>     
>>> -----Original Message-----
>>> From: community-bounces at projectconcordia.org
>>> [mailto:community-bounces at projectconcordia.org] On Behalf Of Mikaël 
>>> Ates
>>> Sent: 22 January 2008 10:03
>>> To: Eve Maler
>>> Cc: community at projectconcordia.org
>>> Subject: Re: [Concordia] A wiki page for our IdP Discovery Problem 
>>> educational materials
>>>
>>> Hi the Concordia community,
>>>
>>> Eve have posted about the "where are you from" issue. I am also 
>>> working on this (like everyone I guess...) so I would be pleased if 
>>> anybody could give me his opinion about something like "Say me 
>>> something about you, I will say you where you are from" and also if 
>>> you ever hear something about this? In fact, these works mainly 
>>> concern trust path establishment.
>>>
>>> I suppose that the SP/RP and the Authority (STS, SAML IdP,
>>> etc...) are not directly trust linked. So there is "n" 
>>> indirect trust links and n+1 nodes. The nodes at the boundaries are 
>>> the security information (token, assertion,
>>> etc...) producer and consumer. The "middle nodes" ensure what
>>> SAML2 called "IdP proxing", which means for me transitive trust. I 
>>> called them trusted nodes. The issue is: the user is "on" the SP and 
>>> want to authn (or else) on an Authority indirectly trusted by the SP 
>>> (Does it sound like a reallife case?).
>>> I suppose that the Authority and trusted nodes metadatas are 
>>> "publicly"
>>> avaible which means that all the trust links can be known. So it also 
>>> means that it is feasable for an SP or a dedicated entity (maybe a 
>>> "trust router") to construct a complete "trust path table".
>>> The SP asks the user a "hint", something like a URI or a domain name. 
>>> The SP presents the user a form or a claim requirement (satisfied by 
>>> an infocard containing the hint). With this hint the SP is able to 
>>> match one of the trust paths.
>>> So the SP redirects the user to the first trusted node of the path, 
>>> which the SP directly trusts. The SP also gives the hint while the 
>>> redirection. Hence, the trusted node will perform an other "jump" in 
>>> the
>>> path: matching and redirection.
>>> One of the application I see is for a sort of internationnal 
>>> confederation. For now, you would have choosen your country on the SP 
>>> for the first redirection, your organization on the trusted node, and 
>>> then you would have authenticated on your IdP. There, we only have one 
>>> trusted node, so it is feasable to require the human intervention to 
>>> establish the trust path. But it is not if we have n trusted nodes...
>>> In fact, some confederation project (eduGAIN) rely on a common PKI, so 
>>> there is a common "metadatas pool" of the confederation which allows 
>>> to search (also thanks to a hint) the IdP directly in the metadatas, 
>>> and dynamically establish a direct trust link between the SP and the 
>>> IdP.
>>> Here, I treat another case, in which we don't have a common PKI or 
>>> whatever secondary common trust architecture which would allow a 
>>> dynamic direct trust establishment. In the case of a dynamic direct 
>>> trust establishment, the SAML ECP profile or Infocard tech would be 
>>> enough to solve the WAYF issue. In fact, there is common trust 
>>> architecture which would be the (con)federation by itself.
>>>
>>> Regards,
>>>
>>> Mikaël Ates
>>> DIOM Laboratory - ISTASE School of Engineering University of 
>>> Saint-Etienne - FRANCE mikael.ates at univ-st-etienne.fr
>>> +33 4 77 43 50 34
>>>
>>> Eve Maler wrote:
>>>     
>>>       
>>>> I finally created a place to put our IdP discovery thoughts; that 
>>>> action has been hanging out there for a while.  Please feel free to 
>>>> edit, correct, flesh out, etc.  Scott and Jeff and George, I'd be 
>>>> especially grateful for your contributions since we all indicated 
>>>> interest in carrying this forward.
>>>>
>>>>
>>>>       
>>>>         
>>> http://projectconcordia.org/index.php/The_Identity_Provider_Discovery_
>>>     
>>>       
>>>> Problem
>>>>
>>>> By the way, in some private conversations I've been having,
>>>>       
>>>>         
>>> it seems
>>>     
>>>       
>>>> deployers would find a similar exercise for single logout to be 
>>>> useful.  It's got some of the same characteristics: sensitive to UI 
>>>> concerns, decisions get based as much on business as technical 
>>>> considerations, confusing, no one perfect solution vs. lots of 
>>>> imperfect solutions that involve tradeoffs...  If you're
>>>>       
>>>>         
>>> interested,
>>>     
>>>       
>>>> please raise your hand (or just start writing a new page!).
>>>>
>>>> 	Eve
>>>>
>>>> Eve Maler                                         +1 425 947 4522
>>>> Principal Engineer                            eve.maler @ sun.com
>>>> CTO Business Alliances group                Sun Microsystems, Inc.
>>>>
>>>> _______________________________________________
>>>> Community mailing list
>>>> Community at projectconcordia.org
>>>> http://lists.projectconcordia.org/mailman/listinfo/community
>>>>
>>>> Participating in this discussion list does not grant any
>>>>       
>>>>         
>>> intellectual property rights or any commitment by the participants of 
>>> the content discussed to any organization.
>>>     
>>>       
>>>>   
>>>>       
>>>>         
>>> _______________________________________________
>>> Community mailing list
>>> Community at projectconcordia.org
>>> http://lists.projectconcordia.org/mailman/listinfo/community
>>>
>>> Participating in this discussion list does not grant any intellectual 
>>> property rights or any commitment by the participants of the content 
>>> discussed to any organization.
>>>
>>>     
>>>       
>> JANET(UK) is a trading name of The JNT Association, a company limited
>> by guarantee which is registered in England under No. 2881024 
>> and whose Registered Office is at Lumen House, Library Avenue,
>> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
>>
>> _______________________________________________
>> Community mailing list
>> Community at projectconcordia.org
>> http://lists.projectconcordia.org/mailman/listinfo/community
>>
>> Participating in this discussion list does not grant any intellectual property rights or any commitment by the participants of the content discussed to any organization.
>>   
>>     
>
> _______________________________________________
> Community mailing list
> Community at projectconcordia.org
> http://lists.projectconcordia.org/mailman/listinfo/community
>
> Participating in this discussion list does not grant any intellectual property rights or any commitment by the participants of the content discussed to any organization.
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-282-8647
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

More information about the Community mailing list