Choosing between WS-Federation & SAML-based SSO

From Project Concordia

Contents 1 Use case description 2 Workflows 3 Additional information and related work 4 Related events 5 Contacts and contributors

Use case description

An identity provider can use either WS-Federation or SAML for any particular SSO interaction with a RP. Which of the two chosen will depend on some combination of application context & RP capabilities.

If the SSO is initiated from the RP, then a Yadis/XRDS type mechanism by which the IDP/OP would advertise its protocol capabilities, the RP selecting from within the list, would be one option.

If the SSO is initiated from the RP, then the DNS mechanism by which the IDP/OP advertises its protocol capabilties, is another option. This one is already specified as the specifications for SAML2 and WS-Federation indicate that an IDP/OP advertises a pointer to its capabilities, using DNS. A SAML2 IDP has well-known NAPTR records at the organization's domain name. A WS-Federation IDP has well-known SRV records below the organization's domain name.

Does it make any sense to think about SSO being initiated from the IDP side in anything other than a predefined community where theres is no need for such dynamic protocol negotiation? Put another way, for the IDP and RP to not 'know' each other (and therefore know which protocol to use with the other) would presume that the User would have to manually indicate to the IDP 'where they wanted to go today'.

Workflows

Additional information and related work

Paul post - http://connectid.blogspot.com/2007/05/no-man-or-provider-is-island.html

George post - Technology convergence or seamless integration?

Mark Wahl post - Cross-organizational identity service schema discovery: SAML2 and WS-Federation

Related events

Contacts and contributors