Cross domain IdP trust

Cantor, Scott cantor.2 at
Tue Nov 22 17:11:41 GMT 2011

On 11/22/11 12:06 PM, "Cal Heldenbrand" <cal at> wrote:
>Plus, as this peer (discovered) relationship grows it becomes a complex
>selection process.  I'm thinking potentially this authentication method
>could grow to hundreds of SP/IdP pairs.  In that case, a tiered IdP
>paradigm would fit better.

You cannot avoid discovery by adding layers. You simply move the problem
somewhere else. The layers may be useful for other reasons, but that isn't
one of them.

>One master authenticator to keep track of them all, but each session
>could transparently propagate to all systems.

Then you only have one IdP to begin with.

>I'm sort of in the brainstorming phase now... but now that I think about
>this more, I believe I might have just described OpenID.

No, you haven't.

-- Scott

More information about the users mailing list