Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Making ID Management Manageable: Page 3 of 8

Although that option remains part of the most recent Liberty Alliance spec, Version 1.2, it's no longer encouraged because cookie management and reading cookies across domains pose security risks--and raise the ire of privacy-minded consumers.

The new version also recommends OASIS' SAML as a way to pass identity information between two sites. SAML is an XML framework for exchanging authentication and authorization data between different security systems and Web services. With SAML, identity information is hidden for privacy reasons so it can't be traced to the user. This provides better security for personal data, but requires a high level of trust between the service provider and identity provider.

The Liberty Alliance spec includes two methods of passing this information among the identity provider, user agent (browser) and service provider, both of which use browser-redirection (see "A Federation of Federations").




A Federation of Federations

click to enlarge

One method is to use HTTP get to pass a SAML assertion (a statement about an end user, such as an attribute). The catch is that the length of the URL and assertion can't exceed the browser's URL-length limitations. Another method is HTTP post, which doesn't have such a restriction. HTTP post lets you embed a SAML assertion within an HTML form to pass it between providers. The downside of this approach, however, is that it's more difficult to code and requires scripting to transfer the browser automatically between the service provider and the identity provider.

A SAML artifact, which is a pointer to a SAML assertion, is often used and passed via HTTP get to make implementation smoother for the browser. For the service provider to retrieve the full SAML assertion, the identifier must be visible, albeit opaque.