The cardholder, when
visiting a site and wanting to use the card, must ?¬?rst authenticate
himself to the IP, who creates the token with the appropriate
data and passes it back to the user, who may in turn pass it to a
relying party (RP). The card itself contains nothing more than the
metadata of the information it represents. The card is stored on
the user??™s computer in an encrypted data ?¬?le but can only be
used to request the data from the security token service that the
IP has encoded into the card.
Rationalizing the decision to become an IP is more than just
declaring to do so. An IP can issue cards for any purpose that it
sees ?¬?t, and it should do so to ful?¬?ll valid business requirements.
Issuing the card doescome with a measure of responsibility,
both to the cardholder to whom it issues identities and to the
RPs who would use them.
323
Users expect a great
deal from an IP
324 Identity Providers
When the decision to issue cards has been made, an organization
needs to make a few important architectural choices regarding
card provisioning, claims, and expressing the organization??™s
own identity.
Uncovering the Rationale for Becoming an Identity
Provider
Organizations that choose to become an IP do so to ful?¬?ll a
wide variety of different purposes.
Pages:
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464