[OpenID] Live Icons for visual recognition of IDP logos

Peter Williams pwilliams at rapattoni.com
Thu Apr 2 20:44:56 UTC 2009

Try plaxo. Login using an openid. Goto account  management. Add another openid in the box (which induces login screen to appear to OP to authenticate/authorized the binding). Done.

Want to delete a binding? Guess what! Some really advanced UI has you pick one (after logon) and delete it from the account management properties.

Remember openid websso (like SAML websso) is *mostly* deployed in simple session translation mode. Once you are on the RP site having been introduced by openid auth-controlled "intermediating" sessions, it’s the RP session that thenceforth controls auth/authz on the webapp, not the OP. So, you can delete any session translation service (aka openid binding) - even the one that got you to that particular RP session. It's completed its job.

> -----Original Message-----
> From: Deron Meranda [mailto:deron.meranda at gmail.com]
> Sent: Thursday, April 02, 2009 1:40 PM
> To: Allen Tom
> Cc: Peter Williams; general
> Subject: Re: [OpenID] Live Icons for visual recognition of IDP logos
> On Thu, Apr 2, 2009 at 2:36 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> > RPs should allow users to bind multiple identifiers to a user's
> account, and
> > allow users to add and remove them.
> I absolutely agree.  But is there any recommended way to do that,
> in terms of a consistent user interaction?  In fact I haven't seen very
> many RPs in the wild attempt the multiple id support yet, though it
> seems to be something that we should strongly try to encourage.
> The way that my own RP does that is that when you're already logged
> in (say using identity A) and you try to login again (with id B)
> without
> having logged out first, it will
> 1. Put up a page that says you were already logged in before, and
> 2. Ask if you would you like to add the identity you just logged in
>     to the same user account; or instead login as a new user (thus
>     logging the first one out).
> In between 1 and 2 the user is sort of in a limbo session state.
> I know their OpenID identity, but I haven't mapped them to a
> local user account yet.
> Obviously to do this I must maintain a mapping of OpenID identities
> to local user accounts; and this is a many to one mapping.  This means
> that the OpenID identity is NOT my user account identity; but instead
> that
> the OpenID identity REFERENCES my user account identity.  A
> subtle but important distinction.
> Furthermore once a user is logged in, they can go to their user
> "preferences" screen; where a list of all their OpenID identities is
> shown.  From there they can delete any of them.
> Obviously, if you don't have an account recovery system in place
> (such as via verified email), then you need to prevent the user from
> deleting ALL of their identities lest they be locked out.  Also, since
> the
> only way to add an identity is to actually use it first (login with
> it), I don't
> have to worry about them only having identities left which have never
> been "tested", and thus chance them locking themselves out.
> --
> Deron Meranda

More information about the general mailing list