Have you ever encountered a problem where you thought you had to dig a tunnel through the hard way, but then saw you can instead fly around it?

I had a similar feeling when reading this paper. In our projects based around Security Assertion Markup Language (SAML) single sign-on (SSO), we had been looking at the issue of aggregating attributes from multiple identity sources (the user’s home identity provider and attribute providers) when a user is logging into a service provider (SP). And we had been just taking for granted that in order for this to work, we must have a shared attribute uniquely identifying users across all services and all identity sources, which comes at a cost in terms of privacy issues.

This paper shows an interesting and innovative way of aggregating attributes from all sources without having to have the shared identifier. The trick is in using front-channel communication and making each additional source of attributes establish a new session via the browser, reusing the user’s existing SSO session at their home identity provider. And even though this requires modification to both the identity provider (IdP) and SP code, these changes need only be deployed at the target SP and at the attribute providers; no changes need to be made at the user’s home identity provider, which makes this solution feasible to deploy in an existing federated identity environment.

In addition to this innovative solution, the paper also provides a good background introduction to federated identity management. It is definitely worth reading.