Hi Russ,<div><br></div><div>Yang is correct. And yes, DNOA supports this scenario. In fact it includes some intra-web SSO OP and RP samples in the .zip file you can download. </div><div><br></div><div>If you want the RPs to <i>always</i> log the user in, you should use checkid_setup when the session is created (which translates to the default CreateRequest call in DNOA). If you only want to implicitly log the user in when he first enters the RP <i>if</i> the user has already logged into the OP, then the checkid_immediate that Yang suggested makes sense (IAuthenticationRequest.Immediate=true).</div>
<div><br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Tue, Apr 3, 2012 at 4:07 PM, Yang Zhao <span dir="ltr"><<a href="mailto:yang@yangman.ca">yang@yangman.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Have RP-B make an automated OpenID authentication request using<br>
immediate mode and identifier_select.<br>
<br>
See sections 9.1, 9.3 and 10 of the OpenID 2.0 spec.<br>
<div class="HOEnZb"><div class="h5"><br>
On 3 April 2012 15:42, Russ Ferrill <<a href="mailto:rferrill@vendorsafe.com">rferrill@vendorsafe.com</a>> wrote:<br>
> Let me describe the scenario I have in mind in a little more detail.<br>
><br>
> The user visits RP-A. RP-A does not ask the user to enter any information at all. RP-A makes an authorization request to the OP passing only the OP identifier. The OP prompts the user for credentials, authenticates the user, and sends a positive assertion to RP-A. The user then clicks a link on the RP-A site that redirects the users browser to RP-B. My question is how does RP-B make an authentication request to the OP that results in the OP sending a positive assertion to RP-B where neither RP-B nor the OP prompts the user for any identification or credentials?<br>
><br>
> -----Original Message-----<br>
> From: <a href="mailto:yangman@gmail.com">yangman@gmail.com</a> [mailto:<a href="mailto:yangman@gmail.com">yangman@gmail.com</a>] On Behalf Of Yang Zhao<br>
> Sent: Tuesday, April 03, 2012 10:14 PM<br>
> To: Russ Ferrill<br>
> Cc: <a href="mailto:openid-code@lists.openid.net">openid-code@lists.openid.net</a><br>
> Subject: Re: [Code] Single sign on<br>
><br>
> On 3 April 2012 15:05, Russ Ferrill <<a href="mailto:rferrill@vendorsafe.com">rferrill@vendorsafe.com</a>> wrote:<br>
>> Let us suppose that there are two different relying part sites that both use<br>
>> the same OP and want to implement single sign on between them so that if an<br>
>> end user visits both sites the user is only prompted for login credentials a<br>
>> single time.<br>
><br>
> Yes, you can adopt OpenID to work as a SSO service. Basically<br>
> implement relying parties such that they authenticate against a<br>
> specific OP.<br>
><br>
> Cheers,<br>
> --<br>
> Yang Zhao<br>
> <a href="http://yangman.ca" target="_blank">http://yangman.ca</a><br>
<br>
<br>
<br>
--<br>
Yang Zhao<br>
<a href="http://yangman.ca" target="_blank">http://yangman.ca</a><br>
_______________________________________________<br>
Code mailing list<br>
<a href="mailto:Code@lists.openid.net">Code@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-code" target="_blank">http://lists.openid.net/mailman/listinfo/openid-code</a><br>
</div></div></blockquote></div><br></div>