Skip to main content

Federated Authentication Beyond The Web: Problem Statement and Requirements

Document Type Expired Internet-Draft (individual)
Expired & archived
Author Hannes Tschofenig
Last updated 2010-07-26
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


It is quite common that application developers and system architects are in need for authentication and authorization support in a distributed environment. At least three parties need to cooperate, namely the end host, the identity provider, and the relying party. At the end of the exchange the identity provider asserts identity information or certain attributes to the relying party without exposing the user's long-term secret to the relying party. Although the problem sounds challenging and interesting, it is not new. In fact, various IETF groups have produced specifications to solve this problem, such as Kerberos, RADIUS, and Diameter. Outside the IETF various Single-Sign-On solution for HTTP-based applications have been developed as well. The reader might therefore wonder about the need for new work given the existence of readily available solutions. This document tries to answer this question in a compact fashion. Note that the description in this document focuses on the scope of the new work as part of the "Federated Authentication Beyond The Web" BOF being proposed rather than what could be theoretically done.


Hannes Tschofenig

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)