Cross domain IdP trust

Cal Heldenbrand cal at fbsdata.com
Tue Nov 22 16:34:52 GMT 2011 

Hi everyone,

I'm trying to think through a few methods to solve a problem accomplishing
SSO through disparate authentication sources.  Say for example:

idp.one.com
sp.one.com
idp.two.com
sp.two.com
idp.three.com
sp.three.com

Each IdP has an entirely separate user/pass namespace.  And, I want each
IdP to "trust" each other, in the sense that any user logged in at any of
the IdPs will *transparently* have access to each SP without logging in
again.  No discovering IdP's or selecting where to log in, and only a
single authentication allows access to all domains.

Something similar to the Common Domain Cookie might solve this problem, but
the spec for that cookie seems too simple.  If idp.one.com were the common
domain in this example, could a series of auth tokens be concatenated
together which would validate authentication at any of the IdPs?  (Say,
similar to OAuth tokens)

Then the authentication flow would be something like:

* sp.three.com is unauthenticated, redirect to idp.three.com.
* idp.three.com is unauthenticated, redirect to idp.one.com
* idp.one.com is unauthenticated, redirect back to idp.three.com in a state
of "no authentications have happened, proceed to log in"
* Log in at idp.three.com, create an authentication token
* Redirect to idp.one.com and pass a token as a parameter, along with SAML
attributes
* idp.one.com authenticates from the token + attributes, sets a cookie for
one.com with the concatenated the three.com token

Then another unauthenticated hit to sp.two.com would:

* Redirect to idp.two.com.  It's unauthenticated, redirect to idp.one.com
* idp.one.com has the CDC trusted token for three.com, along with SAML
attributes stored in a session
* Redirect to idp.two.com with a parameter list of the token + SAML
attributes
* idp.two.com sets a cookie for two.com, redirects to sp.two.com with
successful authentication

Of course, this is absolute redirect hell.  And session management is going
to be horrible.  Are there any protocols that attempt to solve this problem?

Thanks!

--Cal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111122/a78651f9/attachment.html

More information about the users mailing list