Login Federation

Nat Sakimura n-sakimura at nri.co.jp
Mon Feb 18 12:12:57 UTC 2008


In a single domain scenario, such as inside a corporation, one could 
issue a domain cookies having op_identifier or claimed_id and RP can 
start the authentication request based on this. It is not in the spec, 
but can easily be done.

In a multi domain scenario such as the Internet, it is not that simple. 
If the sites are in a same "Circle of trust", then they can set up a 
shared server with multiple domain names and issue identical domain 
cookie a la Liberty. This is essential the same as the single domain 
scenario, then. This again is not in the spec.

If this is not desired or possible, things does not work out so nicely 
then.
You need a way to tell RP the OP somehow. One possible way is always to 
jump from a link page but that is not very realistic. Using a browser 
plug-in is another. Of course, this is not a spec either...

Regards,

Nat

Brett Carter wrote:
> I've dug around a bit, and haven't found anything, so I thought I'd
> ask here.  Is any work being done on adding some sort of federated
> login for open id?  By 'federated' I simply mean that signing into my
> open id provider, this automatically signs me into all my open id
> enabled sites (of my choice) at once.
>
> I have a few ideas I'd like to kick around if somebody isn't already
> working on this.  If so, please feel free to point me in the right
> direction.
> -Brett
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>   

-- 
Nat Sakimura (=nat)
Nomura Research Institute, Ltd. 




More information about the specs mailing list