[OAUTH-WG] AS associated to multiple IdPs
Todd W Lainhart <lainhart@us.ibm.com> Wed, 17 July 2013 14:08 UTC
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E64021F999B for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2013 07:08:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66wuVtAtG7f9 for <oauth@ietfa.amsl.com>; Wed, 17 Jul 2013 07:08:07 -0700 (PDT)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id 29BE321F9684 for <oauth@ietf.org>; Wed, 17 Jul 2013 07:08:07 -0700 (PDT)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Wed, 17 Jul 2013 15:08:06 +0100
Received: from d01dlp02.pok.ibm.com (9.56.250.167) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 17 Jul 2013 15:08:04 +0100
Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 91C8C6E8048 for <oauth@ietf.org>; Wed, 17 Jul 2013 10:07:58 -0400 (EDT)
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay02.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r6HE82nw155244 for <oauth@ietf.org>; Wed, 17 Jul 2013 10:08:03 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r6HE81gd003643 for <oauth@ietf.org>; Wed, 17 Jul 2013 10:08:01 -0400
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av01.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r6HE81lt003639 for <oauth@ietf.org>; Wed, 17 Jul 2013 10:08:01 -0400
To: IETF oauth WG <oauth@ietf.org>
MIME-Version: 1.0
X-KeepSent: 34FAF5DD:D51F94DA-85257BAB:004AEB21; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OF34FAF5DD.D51F94DA-ON85257BAB.004AEB21-85257BAB.004DA290@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Wed, 17 Jul 2013 10:07:59 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 07/17/2013 10:08:01, Serialize complete at 07/17/2013 10:08:01
Content-Type: multipart/alternative; boundary="=_alternative 004DA28E85257BAB_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13071714-0320-0000-0000-0000004F993F
Subject: [OAUTH-WG] AS associated to multiple IdPs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 14:08:14 -0000
This is not specifically an OAuth question per se, but there's enough experience here from multiple domains (e.g. OIDC, UMA, SCIM) that someone might be able to give me a pointer. I'm considering the case where an authorization server is associated to multiple IdPs, such that identity could come from LDAP or (say) Google. In such a set-up, the identity that the AS associates to a bearer token might be "jdoe" (LDAP) or "jdoe@gmail.com" (Google). When a resource server performs an introspection on such a token, they're either returned "jdoe" or "jdoe@gmail.com", depending upon what IdP the resource owner chose to authenticate to. A couple of questions re this setup: 1) First, is the cardinality between AS and IdP reasonable (AS(*) <==> IdP(1-n)), and if so, is there precedent and best practice that I can study? 2) Assuming "true" for "1" above... In the case where the AS is performing the role of SSO provider to multiple resource servers, I'm imagining a setup where it is desireable that all resource servers associated to that AS see the user principal identifier that makes sense to them. E.G. Resource Server "A" prefers the "jdoe" identity; Resource Server "B" prefers the "jdoe@gmail.com" identity. When "A" or "B" receives a bearer token via back channels, provisioned by the AS to "John Doe", introspection reveals, directly or indirectly, the identity "A" and "B" prefer. That suggests that either there's a user registry where "A" and "B" can ask for the identity aliases associated to the generalized token-identity that they received (e.g. mapped to "john.doe"), or the response from introspection widens (perhaps in a proprietary way) to include these aliases (e.g. authenticated principal: "john.doe"; aliases: "jdoe"; "jdoe@gmail.com"). In both cases, there's a mapping between the aliases outside of the participating resource servers. If this second question made sense, I'm looking for precedents and insights (or better practice). I'm wondering if SCIM plays a role here. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) lainhart@us.ibm.com
- [OAUTH-WG] AS associated to multiple IdPs Todd W Lainhart
- Re: [OAUTH-WG] AS associated to multiple IdPs Prateek Mishra
- Re: [OAUTH-WG] AS associated to multiple IdPs John Bradley
- Re: [OAUTH-WG] AS associated to multiple IdPs Todd W Lainhart
- Re: [OAUTH-WG] AS associated to multiple IdPs John Bradley
- Re: [OAUTH-WG] AS associated to multiple IdPs Todd W Lainhart
- Re: [OAUTH-WG] AS associated to multiple IdPs John Bradley