It's this token exchange mechanism that I find intriguing. Does it work both ways? Can I exchange a SAMLv2 Assertion for an OpenID “assertion”? This seems doable if the user is using a single IdP that “speaks” all the identity protocols. With this kind of a deployment model, the IdP can use browser cookies and other mechanisms to maintain the authentication session of the user. An example flow could be...
- User visits RP-A which only supports SAMLv2
- User's browser has a stored cookie identifying the SAML IdP to use (existing SAML IdP discovery mechanism)
- RP-A re-directs the user's browser to the IdP to authenticate via the AuthnRequest
- User authentications and the IdP sets authentication state cookies in the user's browser
- The IdP re-directs the user's browser back to RP-A passing the AuthnResponse
- User is not authenticated at RP-A
- User now loads RP-B which only supports OpenID
- User's browser has a stored cookie identifying the last OpenID used with RP-B
- RP-B invokes a check_immediate with the OP resolved via OpenID discovery (in this case the same IdP)
- The check_immediate re-directs the user's browser such that the IdP can validate the user's authenticated session
- The IdP now verifies that there is a previously established federation between the OpenID and SAML identifier
- If the federation exists, then the IdP can return the OpenID authenticated response
Tags: Identity, OpenID, SAML, SSO, metasystem