Where a user has more than one identity, it makes sense that he or she should be able to choose which identity to submit to a given RP. This choice of identity is made through use of an Identity Selector.
Although, some identity selectors are client-based, these have a number of serious disadvantages:
- Require user installation and / or maintenance.
- May not be available for all platforms - RPs therefore cannot rely on their availability.
- Conflicts may arise if different selectors are installed.
- User identities may require to be copied to user's different devices.
- No security advantage - RPs and IdPs cannot trust client-side components.
- Difficult to keep up-to-date or add new enhancements.
Cloud Selectors have none of these problems, and are naturally a better fit for online identities.
For high assurance use, a cloud selector can be coupled with out of band authentication, to afford very high levels of security.
Also, being centralised, updates to Cloud selectors (e.g. addition of new features) apply immediately to all users.
From the RP perspective, the RP has complete control over which Cloud selectors the user can choose from. Furthermore, the selector can be checked out of band, affording control not possible with client-side selectors.
Activating a cloud selector from an RP is also more natural, involving only HTML or JavaScript code familiar to any web developer.