TypeKey Identity Bridge

The UK Federation includes an identity provider that allows TypeKey identities to be accessed within the federation.

TypeKey is an open access, free identity service developed by Six Apart, Inc., originally for use with their Movable Type software. If you have commented on blogs in the past, you may already have a TypeKey identity. (But you can create a TypeKey identity for yourself if you don't already have one.)

The TypeKey Bridge is available as an option in the UK Federation WAYF, and allows TypeKey identities to be translated into SAML attributes for consumption by UK Federation service providers. This facility may find use in initial testing of new service providers, or for establishing identity at collaborative resources such as wikis.

We are grateful to Byrne Reese of Six Apart for his assistance in making this resource available to the community.

Technical Details

When you select the TypeKey Bridge as an identity provider, it establishes a session with you by writing some cookies, then redirects you immediately to the TypeKey service login page. Once you have authenticated with TypeKey, that service sends you back to the TypeKey Bridge with a message that includes your TypeKey attributes. This message is digitally signed by TypeKey so that the TypeKey Bridge knows that it is authentic. The TypeKey Bridge then responds to the service provider with an authentication assertion in the normal way. When the service provider later queries the TypeKey Bridge for attributes, the following attributes will be provided to it:

  • eduPersonAffiliation will always be "member"
  • eduPersonScopedAffiliation will always be "member@typekey.sdss.ac.uk"
  • eduPersonPrincipalName will be "id@typekey.sdss.ac.uk", where "id" is your TypeKey login name
  • eduPersonNickname will be your TypeKey nickname or full name, depending on the setting you have selected in your TypeKey account
  • eduPersonTargetedID will be released in both the original scoped attribute style as well as the newer SAML 2.0 persistent identifier style.
  • If you have selected the TypeKey option "When you comment on a weblog, send the weblog owner your email address", then your e-mail address will be released in the "mail" attribute.
  • If you have not selected the e-mail address release option in your TypeKey account, you will be prompted during each TypeKey authentication for your permission to release this attribute. If you do not grant permission, the e-mail address will not be released to the TypeKey Bridge, and will not be available to the Shibboleth service provider.
  • Two values will be released for eduPersonEntitlement, primarily to allow the TypeKey Bridge to be used to test new service provider installations:
    • urn:mace:ac.uk:sdss.ac.uk:entitlement:entitlement1 will be released for all identities to allow testing of simple entitlements
    • urn:mace:ac.uk:sdss.ac.uk:entitlement:group:number will be released to allow testing of entitlements associated with groups of users: number will be replaced by the decimal value of the first character of the TypeKey login name. For example, the TypeKey login name iay would result in an eduPersonEntitlement of urn:mace:ac.uk:sdss.ac.uk:entitlement:group:105.

Note that during a normal transaction the TypeKey Bridge itself will be completely transparent; the only visible communication you will have will be with the TypeKey service. In addition, if you are already signed into TypeKey, you will not even see a login page for that service.

You can find out more about how the TypeKey service works by reading about its API.