Interfederation

[John Krienke <>]

On 4/2/13 5:06 PM, Tom Scavo wrote:
> How do we increase the likelihood that MDUI DisplayName is globally
> unique? I think it's nontrivial to enforce uniqueness at the consumer,
> but that's exactly what you need, especially on the discovery
> interface.

I don't think we can expect that MDUI DisplayName will be globally -- or even 
federationally -- unique. I'm thinking about the use case where several 
universities will want to each run a social-to-SAML gateway, which would mean 
that each university would put into federation metadata an IdP with an MDUI 
DisplayName similar to "Google" or "Google Sign In Gateway" or some such. If 
this becomes a global practice, we could see dozens or hundreds of social IdP 
gateways, where the combination of Organization Display Name + MDUI DisplayName 
may be unique, but the MDUI DisplayName by itself is not. This seems to place a 
higher bar on intelligent Discovery UI. As long as we do a good job of 
validating the Org, I don't think there is necessarily a security risk in this 
practice of allowing any known and verified Org to have an IdP with an MDUI 
DisplayName of "VISA" for example. But this is certainly becoming a ripe policy 
question.

john.