Is OpenID Connect + OAuth + UMA Complete? Why Should I switch from SAML + ID-WSF2 + Xacml?

From IIW
Jump to: navigation, search

Is OIDC+OAUTH2+UMA complete? What about SAML2+ID-WSF2+XACML?

Tuesday 4H

Convener: Sambo

Notes-taker(s): Sambo

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

IIW21 TU 4H OIDCstack.jpg

Efforts to profile and orchestrate use of protocols

IGOV Profile Working Group (under OpenID foundation)


InCommon (US educational federation)

Trusted Architecture for Securely Sharing Services (TAS3) and End-to-end Trust Assurance (Synergetics)

Both stacks are missing (but TAS3 architecture and E2ETA include):

  • Tighter profiling of exactly how to use the specs (SAML tends to need

  less profiling, but even it does need it)

  • New user intake
  • New partner intake and Circle of Trust Management (or management model)
    • SAML2 metadata exchange is standardized, but there is much more to the intake
  • Standardization of audit mechanisms
    • Digitally signed audit trail by logging the actual protocol messages can be done, but
    • Summary logs are not standardized yet
    • Frameworks standardize summary trail to automate processing the trail
    • Summary trail also facilitates transparency and visualization of audit trail to end users
  • Standardization of legal/contractual framework
    • Clear description of how protocol actions and token fields articulate

    legal requirements and correspond to contractual obligations

    • Standardization of policies
  • Claim: OpenID-Connect and SAML2 will do roughly the same job at SSO layer
    • Pairwise pseudonymization is possible, but needs to be made mandatory
  • Claim: JSON Web Token (JWT) and SAML2 Assertion ultimately can express

  roughly the same things

  • OAUTH2 is much looser specification than ID-WSF Security Mechnisms
  • What are the service discovery methods in OAUTH+UMA? In ID-WSF there is

  clearly standardized discovery service

  • Delegation supported in both stacks.
    • Binding through globally unique identifier, e.g. email (*** describe mechanism in OAUTH+UMA)
    • People Service and pairwise pseudonymous Target Identity header in ID-WSF,
  • UMA and XACML are trying to do roughly the same, namely move

  authorization decision away from the policy enforcement point (PEP),   but they go very differently about it

    • UMA is generally foreseen to be able to impose a user interface in redirection games
    • UMA conveys authrization using a token
    • ID-WSF Discovery Service can in some cases also be seen similar to UMA

    as it, too, uses a token to convey the authorization

    • XACML does not specify any interaction mechanism, but ID-WSF interaction

    service does provide the capability

    • XACML does not convey authorization using a token, but rather using

    a Permit (or Deny) response to a web service call to the PDP

  • Both have nascar style IdP discovery and IdP proxy is possible
  • Web Service Discovery
    • Standard feature of ID-WSF
    • Perhaps Web Finger will do this for OAUTH2+UMA