[Code] Single sign on

[Andrew Arnott]

Hi Russ,

Yang is correct.  And yes, DNOA supports this scenario.  In fact it
includes some intra-web SSO OP and RP samples in the .zip file you can
download.

If you want the RPs to *always* log the user in, you should use
checkid_setup when the session is created (which translates to the default
CreateRequest call in DNOA).  If you only want to implicitly log the user
in when he first enters the RP *if* the user has already logged into the
OP, then the checkid_immediate that Yang suggested makes sense
(IAuthenticationRequest.Immediate=true).

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Tue, Apr 3, 2012 at 4:07 PM, Yang Zhao <yang at yangman.ca> wrote:

> Have RP-B make an automated OpenID authentication request using
> immediate mode and identifier_select.
>
> See sections 9.1, 9.3 and 10 of the OpenID 2.0 spec.
>
> On 3 April 2012 15:42, Russ Ferrill <rferrill at vendorsafe.com> wrote:
> > Let me describe the scenario I have in mind in a little more detail.
> >
> > The user visits RP-A. RP-A does not ask the user to enter any
> information at all. RP-A makes an authorization request to the OP passing
> only the OP identifier. The OP prompts the user for credentials,
> authenticates the user, and sends a positive assertion to RP-A. The user
> then clicks a link on the RP-A site that redirects the users browser to
> RP-B. My question is how does RP-B make an authentication request to the OP
> that results in the OP sending a positive assertion to RP-B where neither
> RP-B nor the OP prompts the user for any identification or credentials?
> >
> > -----Original Message-----
> > From: yangman at gmail.com [mailto:yangman at gmail.com] On Behalf Of Yang
> Zhao
> > Sent: Tuesday, April 03, 2012 10:14 PM
> > To: Russ Ferrill
> > Cc: openid-code at lists.openid.net
> > Subject: Re: [Code] Single sign on
> >
> > On 3 April 2012 15:05, Russ Ferrill <rferrill at vendorsafe.com> wrote:
> >> Let us suppose that there are two different relying part sites that
> both use
> >> the same OP and want to implement single sign on between them so that
> if an
> >> end user visits both sites the user is only prompted for login
> credentials a
> >> single time.
> >
> > Yes, you can adopt OpenID to work as a SSO service.  Basically
> > implement relying parties such that they authenticate against a
> > specific OP.
> >
> > Cheers,
> > --
> > Yang Zhao
> > http://yangman.ca
>
>
>
> --
> Yang Zhao
> http://yangman.ca
> _______________________________________________
> Code mailing list
> Code at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-code
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20120403/2b2b5911/attachment-0001.html>