The new 5.0 version PingFederate provides a new “auto-connect” shortcut that is meant to support the most common use case in B2B commerce, where both entities already know each other. The idea is that both trading partners maintain “white lists” that specify which companies, and their respective domain names, are approved business partners. From that point, if a user from an approved organization on the white list then seeks to gain access to your business page, the auto-connect would take over, using a preset profile for validating the user claiming to be from the approved trading partner.

Ping claims that this process, which sounds quite simple, can get trading partners authenticated much faster than traditional handshaking. That's because of the domain name verification mechanism involved, and the fact that both parties don't have to custom negotiate all the protocols by which they will communicate authentication information.

Of course, using domain name as a handle sounds deceptively easy, and if you’ve been the victim of spam that spoofs your domain name, your obvious first reaction is that this system could be easily defeated. The typical scenario would be a disgruntled ex-employee who knows who’s on the white lists. However, PingFederate then authenticates the requestor back with the entity that is listed, and at that point, can deny rogue access.

Ping, which is active in the Oasis SAML technical committee and the Liberty Alliance (from which much of SAML 2.0 was drawn), is proposing in turn to add domain name verification as a new SAML profile (e.g., a pattern for implementing SAML). Specifically, it would establish a standard path, such as small.organizationdomainname.com as a standard place for discovering a potential trading partner’s SAML profile data.

---