OpenID or OpenID Connect
OpenId Connect is a set of defined process flows for “federated authentication”. OpenId Connect flows are built using the Oauth2.0 process flows as the base and then adding a few additional steps over it to allow for “federated authentication”.
OpenID is an open standard sponsored by Facebook, Microsoft, Google, PayPal, Ping Identity, Symantec, and Yahoo. OpenID allows user to be authenticated using a third-party services called identity providers. Users can choose to use their preferred OpenID providers to log in to websites that accept the OpenID authentication scheme.
Other Protocols
Number of other growing federated identity options. Below are a few examples.
Higgins: Higgins is a new open source protocol that allows users to control which identity information is released to an enterprise.
Windows CardSpace: CardSpace is Microsoft new identity meta system that provides interoperability between identity providers and relying parties with the user in control. This protocol is retired though and Microsoft is working on a replacement called U-Prove.
MicroID: MicroID is a new identity layer to the web and micro formats that allow anyone to simply claim verifiable ownership over their own pages and content hosted anywhere.
Liberty Alliance: Liberty Alliance is a large commercially oriented protocol providing inter-enterprise identity trust. It is the largest existing identity trust protocol deployed around the world.
U-Prove: U-Prove is a token based credential established in 2012 whose core specifications were released under Microsoft’s Open Specification Promise. U-Prove tokens can contain any kind of attribute, similar to public key infrastructure (PKI), yet differs in two significant ways. First, the token’s public key and signature cryptographic “wrapping” is done in a way where the attributes “contain no correlation handles making it impossible to track U-Prove tokens even in a situation where insiders might collude”. Secondly, U-Prove users have the ability to disclose only the minimum information required such as their range being within a range and not their actual age.
Summary
SAML has one feature that OAuth2 lacks: the SAML token contains the user identity information (because of signing). With OAuth2, you don’t get that out of the box, and instead, the Resource Server needs to make an additional round trip to validate the token with the Authorisation Server.
No comments:
Post a Comment