...
- Universities are showing increased interest in allowing certain classes of potential users to authenticate via Social IdPs (Twitter, Facebook, Gmail, Yahoo,...) and access SAML-protected services and resources. The only path open at present is to rely on a Social2SAML gateway of some sort that authenticates a user via a social IdP and then transforms that into a SAML authentication and attribute assertion. Since multiple gateways already exist, there are multiple ways the transformation is being accomplished. There is wide agreement that gateways are always a sub-optimal solution, but they are hard to get rid of once usage is entrenched. The ideal would be to include multiple protocol support in the native SP package. Now is the time to see if gateway providers can agree on how social IdP information is represented in SAML assertions. If we have one, or a small number, of ways of doing this, it becomes easier to incorporate that support in a native SP package.
Attribute Aggregation
- The simplest use case for attribute aggregation is when an SP/RP wants to supplement identity information received from the authenticating IdP with information maintained by a third-party attribute authority (such as a VO)
- In the more general case, things get more complicated. How is trust established between SPs and a collection of Attribute Authorities? How are identifiers from one assertion mapped to identifiers for the same subject in another attribute authority?