[OpenID] Platform-ing the web with Federated hubs and syndicatedapps
S. Sriram
ssriram at gmail.com
Sun Jul 22 20:24:09 UTC 2007
From: "Peter Williams" <pwilliams at rapattoni.com>
>User logs onto IDP Hub (e.g. msn.com) using Passport/cardspace say. They
>click a syndicated spoke link, for which this IDP has a previous OpenID
>association established with that (syndicated merchant site) spoke. The
>resulting link redirect to the syndicated site is accompanied by
>hmac-signed attibutes: "hub OP URL" and "OpenID associated with the
>Passport user". (*) On landing at the spoke's assertion consumer endpoint,
>OpenID Auth protocol run then occurs, as today, now with some confidence
>about the validity of the OP's endpoint address.
Requiring an OpenId run results in requiring the hub to be an IDP and run an
OpenId server. Instead having the hub request a session key, which it uses
in the subsequent redirect alleviates the need for a) the hub being an IDP
and b) the spoke intiating an OpenId run
The limitation of course being that spoke intiated signon for this hub.com
user_id would require that the spoke too requires the user to click on the
same link i.e. <a href=hub.com/federator.cgi?app=spoke>login to spoke app w/
your hub.com id</a>
>I am wondering, incidentally, about adopting this model for a first OpenID
>deployement, tho its a little inappropriate given the wider the mission of
>the group. IDP-initiated webSSO is a much easier first step to get going in
>practice, requiring much less of an infrastructure refit. Obivously, it
>much less distributed or user-centric. But, if OpenIDs are going to be
>"issued" by all-powerful IDPs using enterprise management models over
>users, there is really no reason to avoid IDP-initated WebSSO.
Wouldn't an even more incremental first-step be removing the need to be an
OpenId server and simply becoming a federated hub for syndicated apps, so
all social networks out there could rapidly become hubs for the 1000's of
already existing facebook apps with some relatively minor tweaks both at the
hub & spoke ends.
S. Sriram
More information about the general
mailing list