Just to be clear, "identity provider" in SAML isn't intended to mean that this system entity is providing an identity to a digital subject -- it means that this system entity is providing identity information (specifically verification/authentication info) to a relying party/service provider.
From the SAML glossary (now in HTML...): http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Identity Provider http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Relying Party Often, but not always, a SAML authentication authority also serves as an attribute authority: http://www.oasis-open.org/committees/download.php/21053/saml-glossary-2.0-os.html#Attribute Authority Eve John Kemp wrote: > Hi Pete, > > We're in agreement - I was just noting that a SAML IdP is asserting the > link between an identifier and a user/subject/principal, which is the > same as OpenID. > > As you say, in SAML, the identifier is often (but doesn't have to be) > created by the IdP. And, as you say, in OpenID, the identifier is often > (but doesn't have to be) created by the user. > > Regards, > > - John > > Pete Rowley wrote: >> John Kemp wrote: >>> Drummond Reed wrote: >>> >>>> And it doesn't stop there. OpenID also supports OPs that >>>> ***have zero control over the user's OpenID identifier***. The OP simply >>>> provides a service for authenticating that a user has control of the >>>> OpenID >>>> identifier about which the OP is being queried. >>>> >>> And how does one authenticate that the user has control over an >>> identifier? Is it not by having the OpenID IdP having some secret shared >>> with the user - maybe a password, say? >>> >>> A SAML IdP also authenticates that an identifier (issued by the IdP in >>> the SAML case) is bound to a particular user. >>> >> "issued by the IdP in the SAML case" is really the point. While an >> identifier /may/ be issued by an OpenID provider (IdP, AA, etc.) that is >> really the users choice, the user chooses their identifier and the user >> chooses who is authorized to provide authentication for the identifier. >> So really the OP, IdP, AA etc. isn't providing an identifier or an >> identity. It is providing an identifier ownership assertion service that >> may or may not be backed up by some form of authentication, and that >> service provider may be changed. >> >> > > _______________________________________________ > specs mailing list > specs@openid.net > http://openid.net/mailman/listinfo/specs > -- Eve Maler +1 425 947 4522 Technology Director eve.maler @ sun.com CTO Business Alliances group Sun Microsystems, Inc. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs