Cross domain IdP trust

Cal Heldenbrand cal at
Tue Nov 22 16:34:52 GMT 2011

Hi everyone,

I'm trying to think through a few methods to solve a problem accomplishing
SSO through disparate authentication sources.  Say for example:

Each IdP has an entirely separate user/pass namespace.  And, I want each
IdP to "trust" each other, in the sense that any user logged in at any of
the IdPs will *transparently* have access to each SP without logging in
again.  No discovering IdP's or selecting where to log in, and only a
single authentication allows access to all domains.

Something similar to the Common Domain Cookie might solve this problem, but
the spec for that cookie seems too simple.  If were the common
domain in this example, could a series of auth tokens be concatenated
together which would validate authentication at any of the IdPs?  (Say,
similar to OAuth tokens)

Then the authentication flow would be something like:

* is unauthenticated, redirect to
* is unauthenticated, redirect to
* is unauthenticated, redirect back to in a state
of "no authentications have happened, proceed to log in"
* Log in at, create an authentication token
* Redirect to and pass a token as a parameter, along with SAML
* authenticates from the token + attributes, sets a cookie for with the concatenated the token

Then another unauthenticated hit to would:

* Redirect to  It's unauthenticated, redirect to
* has the CDC trusted token for, along with SAML
attributes stored in a session
* Redirect to with a parameter list of the token + SAML
* sets a cookie for, redirects to with
successful authentication

Of course, this is absolute redirect hell.  And session management is going
to be horrible.  Are there any protocols that attempt to solve this problem?


-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list