Metasystem use cases
From Project Concordia
Contents |
General use case categories
The following are observations on use-case themes that have come up repeatedly and may involve several different groupings of technologies. Examples are cited wherever possible. (Still to do: Add connections to the Chevron, New Zealand State Services Commission, and InCommon Federation use-case presentations as appropriate.)
- Multi-protocol SSO and SLO
- SSO and subsequent SLO assuming different protocols in use at first and subsequent service providers
- E.g., start with SAML/Shibboleth and then SSO to a WS-Fed-using SP, or start with OpenID and then SSO to a SAML-using SP, or authenticate with CardSpace to get SAML SSO -- see matrix below
- See AOL's slides for "seamless sign-in/out experience" use case
- See GM's slides for "CardSpace and SAML interoperability" use case
- See Govt of BC's slides for "protocol bridging" use case (CardSpace and SAML?)
- See OSIS use cases for CardSpace authentication into Liberty (SAML) IdP, OpenID IdP/OP, OpenID RP
- See Peter Williams use cases for multi-protocol brokering and metadata to accommodate inter-IdP switching logic (sent to OpenID general list; also see further thoughts in that email thread)
- Additional issue: How can a relying party declare what protocols it supports in order to provide a seamless user experience? (George Fletcher ideas another option)
- Multi-protocol attribute exchange
- Note that SSO involving simultaneous attribute exchange includes this general use case as well
- Attribute interpretation and syntactic expression in different protocols/representations
- E.g., SAML, PKI, Kerberos, OpenID, CardSpace (SAML token?) expressions
- See GSA's slides for PKI attributes-to-SAML rich attribute exchange
- See GM's slides for "common claims interface across SAML and WS-*" use case
- See OSIS use cases: brief mentions of SAML Attribute Authority enabled to handle CardSpace, OpenID, and Higgins as well
- Multi-protocol bootstrapping into identity services
- Initial authentication/SSO and bootstrapping into Liberty ID-WSF services using something other than SAML (which is already accounted for in the ID-WSF specs)
- E.g., start with CardSpace or OpenID and get bootstrapping attribute to locate the user's ID-WSF discovery service -- see matrix below
- See AOL's slides for "service invocation across protocols" use case
- Protocol brokering for device-to-web SSO
- Ensuring that "smart client devices" can handle interactions with multiple protocols to hide complexity from the user
- See AOL's slides for "identity agents to hide protocol issues" use case
- Note: No specific use cases currently listed in matrix
- Reduction in variation of federation protocol choice for relying parties
- Scalable federation
- Likely to involve nontechnical factors, best practices, and additional deployment metadata
- See GSA's slides for "interfederation" use case
- See Boeing's slides for "nested federation" use case
- See Govt of BC's slides for "automated federation" use case
- Note: No specific use cases currently listed in matrix
Use case matrix
It's helpful to categorize use cases by the protocols they involve, and to use a matrix to generate discussion about specific requirements where two specific technologies currently do not work smoothly together. An intersection of two technologies might have several relevant use cases (and each use case might be solvable in multiple ways, depending on more-detailed requirements). Not every cell will necessarily have any interesting use cases. The axes may end up having additional technologies added, as more use cases of interest are generated.
| OpenID | SAML | WS-Fed | CardSpace | WS-Trust | ID-WSF | |
|---|---|---|---|---|---|---|
| OpenID | N/A | OpenID-SAML:
| OpenID-WSFed: | OpenID-CardSpace:
| OpenID-WSTrust: | OpenID-IDWSF:
|
| SAML | N/A | N/A | SAML-WSFed:
| SAML-CardSpace:
| SAML-WSTrust: | SAML-IDWSF:
|
| WS-Fed | N/A | N/A | N/A | WSFed-CardSpace:
| WS-Fed is a specialization of WS-Trust | WSFed-IDWSF:
|
| CardSpace | N/A | N/A | N/A | N/A | CardSpace is a specialization of WS-Trust | CardSpace-IDWSF:
|
| WS-Trust | N/A | N/A | N/A | N/A | N/A | WSTrust-IDWSF:
|
Individual use case writeups
- Transitioning from OpenID-based SSO to ID-WSF-based attribute exchange
- Choosing between WS-Federation & SAML-based SSO
- SSO between a SAML SP and a WS-Federation SP
- SSO between a SAML SP and an OpenID RP
- SLO amongst sessions established through different SSO protocols
- CardSpace user to Shibboleth RP
- CardSpace user to a SAML SP
ePortfolio use cases
- HR-XML Europass CV: an interoperability use-case on CV privacy and data exchange: example of cooperation between Liberty Alliance and HR-XML consortiums (first draft is Image:Draft-symlabs-id-hr-xml-1.0-01.pdf -- thanks to Sampo Kellomaki from Symlabs SA)
- ePortfolio: a use case on global user privacy for user's ePortfolio privacy support
Slides from NIST PKI workshop in April 2007
A panel discussion was held at annual the NIST PKI Workshup in Gaithersburg, MD in April 2007. The purpose of this panel was to "compare and contrast" sundry "identity systems" (PKI, Information Cards, OpenID, Liberty, Shibboleth) in the interest of moving toward convergence, unity, harmony, and interoperation. The moderator had a set of slides (NIST Panel Slides (.pdf)) that could be used to prompt discussions; however, most discussion was prompted by audience questions, so the slides weren't used much. They are offered here in the hopes that they might be "food for thought". They don't provide answers, just topics that might be worth discussion. These slides, as well as slides from individual panelists, are also available in the conference proceedings.
