Posts tagged: SAML

OpenID Nascarization

Chris has an interesting post about user experience around OpenID - Does OpenID need to be hard?

I  raised the issue of Nascarization more than an year ago . There should be one OpenID button. Not two. Not three. Else it’s not scalable for the relying parties. And it’s confusing for the user.
OpenID isn’t new in terms of the user flow. Every other SSO type protocol (SAML, WS-Fed, OAuth) essentially has the same flow where the user shows up at the RP, authenticates at the IdP and logs in at the RP. VerifiedByVisa, PayPal user flows aren’t much different either.

They all also have the the following major constructs (one could argue that different protocols could learn/leverage from each other, but let’s not go there) :

  • Token format
  • Key Management
  • Discovery

Discovery is the hardest since that has the most impact on user flow. SAML doesn’t really have to face the issue to the same extent as OpenID since most SAML federations today are in B2B with limited or clearly defined IDPs.

Great to see the acknowledgment of the issues and a focus to address the problem. I’m hoping to see more developments in  IDIB and/or a cleaner discovery service. And as a user, I get my one button.

Speaking of elephants in the room, it would be nice to have some agreement on a way to exchange attributes/claims between IdP and RP. As it stands today, I can use SReg, AX or OAuth. There is definitely some overlap there and the lack of clarity often results in “wait” for most implementors.

Image | WordPress Themes