John Kemp wrote:
"issued by the IdP in the SAML case" is really the point. While an identifier /may/ be issued by an OpenID provider (IdP, AA, etc.) that is really the users choice, the user chooses their identifier and the user chooses who is authorized to provide authentication for the identifier. So really the OP, IdP, AA etc. isn't providing an identifier or an identity. It is providing an identifier ownership assertion service that may or may not be backed up by some form of authentication, and that service provider may be changed.Drummond Reed wrote:And it doesn't stop there. OpenID also supports OPs that ***have zero control over the user's OpenID identifier***. The OP simply provides a service for authenticating that a user has control of the OpenID identifier about which the OP is being queried.And how does one authenticate that the user has control over an identifier? Is it not by having the OpenID IdP having some secret shared with the user - maybe a password, say? A SAML IdP also authenticates that an identifier (issued by the IdP in the SAML case) is bound to a particular user.
-- Pete
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
