1 / 8

The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys

The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys. The OpenID Advent. Simple to understand You are your URL Discovery is transparent Simple to extend JSON-style mechanisms Can allocate almost anything Embraced by (some of) The Big Guys And some governments

mason
Download Presentation

The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The OpenID CaseWhy It’s Not a Bad Idea to Play with The Big Guys

  2. The OpenID Advent • Simple to understand • You are your URL • Discovery is transparent • Simple to extend • JSON-style mechanisms • Can allocate almost anything • Embraced by (some of) The Big Guys • And some governments • Well aligned with other protocols • Mostly, OAuth • And that means opportunities for us

  3. The OpenIDLoA • OpenID-The-Current-Infrastructure • Accept an OpenID as long as it is backed by the basic protocol • Most OpenIDs coming from Internet services with (very) few enrolment requirements • Therefore, very low LoA on identity • OpenID-The-Protocol • Supports (or does not forbid) additional checks • Restricting acceptance to well-behaved OPs • An example: yo.rediris.es • Requires an identity in a SIR IdP • Equivalent LoA to any SAML AuthN assertion

  4. SP checks for trusted IdP IdP checks for trusted SP Mutual authentication possible OpenID-The-Protocol

  5. OpenIDs and NameIDs • IdP discovery is an integral part of the OpenID protocol • OpenID v2 allows users to express non-unique IDs • yo.rediris.es -> http://yo.rediris.es/drlopez@rediris.es • Initial attributes can be forwarded as well • Push-model for IdP-asserted attributes • OpenIDs are DNs/NameIDs/SubjectDNs/… • Once expanded and validated can be used as subject identifier in any further query • Aggregate attributes retrieved via • OAuth • SAML • LDAP • VOMS • . . .

  6. CTX: Full-fledged OpenID

  7. CTX: Full-fledged OpenID

  8. The Identity Golden Rule • Digital identities are more valuable as they are more widely assertable • Adoption/use of OpenID is a wise move • Policies (and technologies) to define • What makes an OP reliable • What makes an OpenID usable • How to express metadata related to OP • An algebra for attributes and LoAs

More Related