I recently received a comment on my SAML Bashing blog entry. "Jeremy" (not sure which Jeremy as he was otherwise anonymous in his comment -- I wonder if it's really James in disguise -- this seems the kind of comment James would leave, but James is usually quite blatant about it, not hiding behind an identity pseudonym) asked:
Kim stated "The question of how the relying party knows which identity provider URL to use is open ended. In a portal scenario, the address might be hard wired, pointing to the portal’s identity provider. ". What are your thoughts on that?
In the early days of Liberty ID-FF, we paid a good amount of attention to what solutions would fit into the various portal solutions. Must of this has to do with the configuration and structure of the portal. We saw different portals using different solutions including:
- Push SSO
In "push SSO" the portal, when creating links to the various components that make up the portal, generate redirection links that send the user directly to the IdP with some additional information causing the IdP to initiate an SSO to the third party.
This is a common solution used in enterprise portals when the user selects a link provided by an outsourced third party (such as Fidelity providing 401K or stock purchase account management for employees).
- Well-known IdP
This is the solution mentioned in your quote of Kim. The members of the portal know which entity provides IdP services for the portal and can send the user to the IdP to get them authenticated. This is how most portals work today (e.g. Yahoo's IdP is known as the IdP for all Yahoo services at the Yahoo portal, so when I go to Yahoo Games, I get authenticated by the Yahoo IdP).
Affiliations are a technical structure used to represent provider membership in a group (such as a portal, but can also be other business groups). When the user "federates" to an affiliation, the members of the affiliation are able to treat the user a a common user providing synchronized services and precluding a multitude of consents and idp interactions.
The concept of Affiliations was introduced in the ID-FF specifications and was incorporated into SAML 2.0 during the convergence of SAML 1, ID-FF and Shibboleth.