can an openid saml profile get rid of the wayf

Sun, Jul 23, 2006

There are a few parallels between shibboleth and OpenID, what with consumers, which are Service Providers in shibb land and identity servers which are Identity Providers in shibb speak. The protocols are different with shibboleth claiming to be more secure but is hampered by the WAYF, that application that pops up and asks you “Where are you from?”. The flow of events after that are similar between shibboleth and OpenID but there’s an interesting social aspect to OpenID, where users “own” their identity server, or rather, they feel it’s part of their online presence, serving their needs to let them gain access to sites on the web using that url. So how can OpenID make shibboleth more user friendly?

In OpenID, a user skips what would be a WAYF by telling a consumer (SP) where their identity server (IdP) is. This is their OpenID URL. In shibb this is not user friendly and no-one can ever remember it. In fact no-one knows what it is as it’s hidden by the WAYF. But what if an institution associated their IdP’s SSO with a tiny url, say, or defines it’s own tiny url ( is just as unmemorable as normal shibb urls!). e.g., or This would be a redirect to the IdP’s SSO. This also means that an institution has a constant interface to consumers and Service Providers as they’re free to change the real location of the IdP’s SSO at will. The OpenID url stays the same.

Allowing an SP to accept an OpenID style url gets rid of the WAYF. It’s never needed. What happens in OpenID is the consumer (SP) redirects to that url and the user authenticates there. This is all shibb.

So what about an OpenID profile of SAML? It would allow a Service Provider to display a link to a page where a user can enter their OpenID url. The next page they see is their Identity Provider (IdP) and they authenticate and normal shibboleth flow resumes.

The shibboleth discovery process has been replaced with the more intuitive and scaleable OpenID discovery process and as OpenID gains ground shibboleth truly disappears into the background, as all middleware should, well the stuff that works anyway.

As I’m looking into shibbing SAKAI with Guanxi, I think I’ll take a deeper look at using an OpenID url to access SAKAI but using SAML instead of the normal OpenID protocol.

comments powered by Disqus