[OpenID] Attribute Exchange proposal and verified attributes in action
dick at sxip.com
Fri Jan 19 00:15:51 UTC 2007
We demoed this at IIW back in early December, and realized people on
this list might be interested in seeing it first hand.
Apologies if you don't care about Attribute Exchange, but thought
there is nothing like seeing something for real to make things clear.
The demo shows self asserted attribute exchange, verified attribute
exchange (both fetch and store).
Here are the steps
1) you need to install Sxipper (since it is the only OP we know of
that supports the OpenID Attribute Exchange draft)
http://www.sxipper.com (you will need to be running Firefox -- 2.0
is best -- http://firefox.com)
2) goto https://verify.sxip.com/email/
3) select your public identifier and release an email address
4) you should get an email with a verification link in it, click on
the link (or copy and paste it into Firefox if it is not your default
5) you will login again so that we know it is still you
6) you will then be prompted to store the verified email assertion
back with your OP (Sxipper in this case)
(If you had other OpenIDs you would like associated with the email,
then you could do that, but you can't now)
7) goto https://verify.sxip.com/demorp/ to use the verified email
8) loginto the demo RP to see attributes being released as well as
the SAML assertion
9) once logged in, you can show the assertion.
Inside the SAML assertion you will see that the Subject is your OpenID:
And the attribute name and value:
Note the value is a hash of your email address, not your email
address. This way you can prove you have a specfic email address
without actually disclosing your email address. Since you can provide
your email address unverified, the two together allow you to share
your email address and prove that you own it.
Hopefully this is useful for some of the discussions that have been
happening on the list.
Any feedback on how SAML was used or the overall flow would be
appreciated, although that is best done on the specs at openid.net list.
More information about the general