SAML and Social Identities
Initial draft words to work through as the introduction - Chris Phillips
As users navigate and experience the internet ecosystem, much of the activity is in a context of ones digital identity or persona exchange. The spectrum of contexts available to a user may range from an anonymous context (as one can have on the internet that is) to that of a very personal and richly defined identity context. At the heart of the identity conversation is trust and the evaluation of risk by both parties.
Both users and site owners desire to:
- Minimize the risk of either party falsifying whom they are (falsehoods)
- Minimize the risk of communications in transit between each other. (security of communication)
- Ensure that a mutual understanding of what is being transmitted and received. (semantic meaning of data is in alignment)
- Minimize the friction of accomplishing all the above with least negative impact to each party (don't punish the user)
- Minimize the maintenance of the mechanism in which this happens. (don't punish the maintainer)
As there is no rule of law stating 'thou shall have one identity and one way to log in', many practices have emerged with various perspectives of the above points, some weighing certain aspects more than others.
SAML2 as a protocol facilitates the exchange and authentication and authorization data [OpenID:1]. In this conversation relating to social identity, it closely tracks to a more formal expression of identity from an institutional perspective where social identity is more closely tracks to the adoption of a given practice due to critical mass of its use or ease of implementation as compared to other practices. This does not mean institutions are prohibited from using social identities, it is in fact the opposite. Due to pressures of adoption institutions will have to figure out to what extent they wish to participate and what risks they will have to take and what benefits will be received in return for the wager.
This document will contrast and compare various social identity approaches with SAML2 in order to allow implementors to make sound judgements of risks and benefits at hand when deciding on what to implement and where the trade offs are.
A secondary desire is to explore the opportunity of how to bridge from SAML2 protocol conversations to other Social Identity approaches knowing what will be sacrificed, but achieve a consistent interface for this to occur rather than have many parties invent the same wheel. We hope that by assembling the first portion of the conversation we can ease the assessment of how to accomplish this step.
The Use Cases that were submitted and accepted by the group can be viewed at GenericUseCases