0

Federating with Yahoo using SAML single sign-on for my customer

I am an Oracle Identity and Access contractor working for one my Denver city customer in trying to support its internet users to leverage their existing identity accounts, from Google, Facebook, Yahoo, Twitter, and Microsoft Live to do a web single sign-on to the my customer web site. My customer is using Oracle's Identity Federation (OIF) product that presently only supports SAML 1.x/2.0, WS-Federation, and Liberty ID-FF 1.x. Unfortunately, OIF does not support OpenID or OAuth protocol but this could require an extension (or customization) to support it.

Given the aggressive customer deadline and non-familiarity with OpenID/OAuth, we plan to use SAML 2.0. The other requirement is act as a Service Provider (SP)/Resource Provider (RP) and trust the user external account provider as the Identity Provider (IDP). I have few questions for you:

1) Do you support any of SAML 1.x/2.0, WS-Federation, and Liberty ID-FF 1.x protocols?

2) My question is around if Yahoo can act as an IDP in this case while establishing chain of trust with my customer who will be acting as SP/RP?
What are some of the technical requirements to set this up from Yahoo's end? I am believe we need:
Trusted keys/certificates to identify the user authentication request (and other follow-on requests) are coming from a trusted source that is part of chain of trust. Is this correct?
3) Decide on the federation protocol which should be SAML 2.0, or other. From your YDN link (http://developer.yahoo.com/auth/) it tells me that SAML 2.0 is not upported. Is this correct?
4)I need Yahoo's IDP URL and need to provide Yahoo with SP/RP url, or include it within the Authentication SAML request.
5) Decide on a unique name identifier that will be used to link user identity on Yahoo's end with our end - something like user id, e-mail address, or something else. Is there a recommended one you recommend?
6) Do you support sharing your user profile information such as first name, last name, and other public information? If you do, then is it through Attribute Exchange/Sharing Authorization, which is one service supported by SAML 2.0 or other auth protocol (OpenID/OAuth)? What is your requirement and what user profile information can be provided?
8) It was mentioned somewhere that you allow for user management/provisioning - ability to pass new user account information to external trusted federation partners. Is that true? Do you also support profile updates from SP/RP to your end? Is the account management support through SPML protocol, or something else?
9) How to participate in global logout which means the user logs out of SP/RP and then is given an opportunity to logout from all signed sites by Yahoo? I believe the major work is on your end, or do we need something on our end?
10) Where do I go to read all this information, or are they integration support documents?
11) Who will be my point of contact with Yahoo to coordinate, work out the details, and test this functionality?

Thanks,

Abid Abbasi

by
  • NA
  • Jul 14, 2010
1 Reply
  • Hi Abhid,

    The short answer is we don't support any of the following:
    SAML 1.x/2.0, WS-Federation, and Liberty ID-FF 1.x protocols.

    The authentication/authorization protocols we support are
    OpenID and OAuth as stated here:
    http://developer.yahoo.com/auth/

    Both are open protocols and you can get the detailed specification
    and code samples from http://openid.net/ and http://oauth.net/
    respectively.

    To use our OpenID service, you don't need to register your site
    with us. You can use the OpenID URL as the unique user identifier.
    You can use OpenID Attribute Exchange protocol to get the following
    user's data:

    "nickname" => "http://axschema.org/namePerson/friendly",
    "fullname" => "http://axschema.org/namePerson",
    "email" => "http://axschema.org/contact/email",
    "gender" => "http://axschema.org/person/gender",
    "language" => "http://axschema.org/pref/language",
    "timezone" => "http://axschema.org/pref/timezone",

    To use our OAuth service, you will need to register your site
    with us through https://developer.apps.yahoo.com/projects
    to get consumer key that identifies your application.

    The following guide provides more information:
    http://developer.yahoo.com/oauth/guide/index.html

    Thanks,
    Yu Wang
    Yahoo! Membership Team
    0

Recent Posts

in OpenID General Discussion