[OpenID] Multiple Domains and State

Nate Klingenstein ndk at internet2.edu
Wed Apr 23 19:05:09 UTC 2008 

Trey & Shade,

Here's a picture and writeup courtesy of UAB, NCSA & their early  
proxying experiments that might help:

https://spaces.internet2.edu/display/GS/MyVocs

> About #1. If openId's are unique why would the authenticating party  
> need to specify which one out of two or more? Assuming they were  
> using one openId for my properties we could use that openId- 
> provider.com/username as the key to lookup the user on the original  
> domain.

In your example, would the RP receive the identifier auth.com/trey,  
or openid.com/trey?  Who would have issued and confirmed it?  How do  
you avoid auth.com/trey going to openid.com/ndk or microsoft.com/bgates?

It gets worse when you start dealing with attributes.

> Also, to double check. You are saying that openId supports -- or  
> maybe more specifically doesn't prohibit -- chaining authentication  
> to an intermediary server?

If you're just using openid.com/trey to authenticate for auth.com/ 
trey, then you're probably within the specs.  If your intention is to  
allow auth.com to be authoritative for openid.com/trey through some  
other process, you've probably moved outside the specs, as Shade  
alludes to.

In particular, you'd have issues with the Return URL.  What does  
openid.com stick in there that is spec-legal, goes to auth.com, and  
will be trusted by related-a.com?

> Lastly, is there anything published online (specs, docs, howtos,  
> thoughts or reflections) about what we're trying to do here that  
> you know of?

See the document above(as well as the IAMSuite work out of  
Australia).  The flow diagram is significantly more complicated than  
it needs to be because they were trying to integrate with existing  
software packages.  I can also send you an old paper I wrote on this  
off-list if you're interested.  There are a few other ways to skin  
this cat.

Glad to have your insights on this old problem,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080423/cd087047/attachment-0002.htm>

More information about the general mailing list