OpenID Connect: a new protocol for authentication
In a previous blog, Joost van Dijk has explained how SURFconext uses the SAML2 protocol for authentication. However, a number of other authentication procols exist, even though SURFconext currently only supports SAML2. Other well known ones are OpenID, Facebook Login and OpenID Connect. The latter, OpenID Connect, is an upcoming standard, which seems potentially interesting for SURFconext and identity federations in general.
OpenID Connect for SURFconext?
Novay has been looking into the relevance of OpenID Connect for SURFconext, and specifically into the question whether it should be made possible to use OpenID Connect to connect services to SURFconext (instead of using SAML2). Recently, their report on this topic was published.
OpenID Connect features
OpenID Connect offers similar functionality as SAML2, for the usecases in SURFconext. Support for certain features, such as asking for user consent, are built into the standard. In addition, OpenID Connect can deal with higher levels of assurance and supports IdP discovery, dynamic client registration, and session management — although some of these features are optional or under development. Even though OpenID Connect was developed with a dynamic authentication landscape in mind, static trust management is certainly possible, and standardisation for typical federation scenarios is being studied by NRENs and certain vendors.
OpenID Connect for Service Providers
The Service Provider (Client) side of OpenID Connect can be implemented relatively effortlessly, especially if the Service Provider already uses OAuth 2.0 for delegating access to its REST APIs. OpenID Connect is designed for the consumer-to-social-network scenario. Yet OpenID Connect can potentially be deployed in other environments such as the enterprise or federations for higher education and research. The OpenID Connect standard is not final at this point, yet it is stable enough that software developers are implementing it.
SAML 2.0 or OpenID Connect
Some analysts have suggested that OpenID Connect (or a similar protocol) will replace SAML 2.0 in the long run. While this remains to be seen, it is certainly possible that certain categories of Service Providers will support OpenID Connect first to allow social login and only implement SAML if there is a clear business case for enterprise and/or higher education and research customers. Google, Microsoft and other commercial parties support the OpenID Foundation in their development effort. However, SAML 2.0 will remain the protocol of choice for federations for the foreseeable future.
It is clear that OpenID Connect is an interesting technology, and SURFnet would like to experiment with it. If you run a (web) service, would like to connect to SURFconext using OpenID Connect rather than SAML2, and don’t mind starting an experimental pilot, then please contact us. Mail to: firstname.lastname@example.org
Bas Zoetekouw (SURFnet) en Martijn Oostdijk (Novay)