Tuesday, May 22, 2007

AOL supports simple federation with SAMLv2

In addition to the work AOL is doing to support OpenID, we've also been working with SAMLv2 to provide a simple federation profile for our partners. This allows users to federate an account at a partner to an account at AOL so that SSO is enabled from the partner to AOL or vise-versa.

This implementation uses the “SAMLv2 Lightweight Web Browser SSO Profile” and “SAMLv2.0 HTTP POST SimpleSign Binding”. Since the current use cases are fairly restricted we simplified the process even more such that only source-first SSO, using an unsolicited <Response> message is supported.

The actual federation of identifiers is done during the registration process using existing AOL protocols. SAML is then used for the SSO Assertion between the partners. The flow goes something like this...

  1. User goes to browser and loads site A
  2. User authenticates at site A using the account credentials associated with site A
  3. User clicks on link to partner site B
  4. Site A generates the SSO Assertion for site B using site B's pre-determined federation identifier
  5. Site A uses the http POST method to post the SSO Assertion to site B
  6. Site B validates and verifies the SSO Assertion
  7. User is “signed-on” to site B with site B's federated identifier

Using the Simple-Sign binding significantly simplified the development effort as XMLDSIG is one of the more complicated parts of SAML. As more tools for XMLDSIG become available this will be less and less of a barrier to adoption.

Tags: , ,


Eric said...


Interesting work!

I've a question: is the user obliged to create a local SP account first before being able to federate with his AOL identity?

If no, how do you manage the case where the user wants to stop using his AOL identity to authenticate on SP (using the federation link)? In that case, you have to find a way to create local credentials at SP side. What if he has previously closed his AOL account (dont't know if it is possible...)?


George Fletcher said...

In the current case the "federation" is what I call "explicit" meaning that it is between two known/existing identifiers. One at the partner, and one at AOL. So there are always "local credentials at the SP side".

There are mechanisms to break the explicit federation but at this time they don't use SAML.

Anonymous said...

Interesting but I couldn't find a reference to it on the AOL site.
Could you give a pointer ? Is there a guide of how to integrate for SSO? We are running a public SAML2 identity provider at ssocircle.com.

Thanks, Chris

George Fletcher said...

At this time we don't have a process for easily adding partners to our "circle-of-trust". So far this has been for explicit partner relationships. However, we are looking into this as a possible future direction.