an 'eye' for SSO

Paul Madsen over at connectID comments on the i-Names i-SSO specification:

Looking at the i-names SSO (ISSO) spec being defined at XDI.org, they account for some minimum password strengths by which users MUST authenticate to their i-Broker (within the XDI.org community)

To help prevent dictionary attacks, XDI.ORG MUST specify a minimum password strength required of all ISSO accounts in the XDI.ORG network.

As they use SAML 2.0 as the protocol by which the Website requests an authentication and by which the i-Broker responds, it seems strange that they don't refer to SAML 2.0's Authentication Context as the mechanism for defining such minimum authentication requirements.

In fact, the next revision to this draft (which i am penning as we speak) does, in fact do that. It will also define a couple new profiles, and two new authN contexts (enhancements really, not new).

• XRI-based services discovery profile which allows for the determination of an Authentication Authority based on an iName (XRI)
• Slight variant on Web Browser SSO Profile (adding requirements for the new contexts)
• contexts which add some defenses against phishing

Stay tuned here or over at XDI.org, where the specs formally live for the next release.

Technorati Tags: identity, iSSO, SAML, XRI