[OpenID] OpenID and SSO

[NISHITANI Masaki]

Basically, there is a fundamental conflict between ordinary 
SSO and OpenID, I think.

SSO is to be defined an authentication/authorization method 
to treat many sites as one. In SSO world, an end-user does 
not need to care which site it is actually visiting.

In contrast,the purpose of OpenID is to accept the result of 
authentication (assertion) from other sites. OpenID is 
designed to distinguish one site from another.

Technically, SSO requires sites to know which identity 
provider (IdP) the user belongs to without any user 
interaction. Usually this is implemented to configure only 
one IdP in sites, and as the result, the every sites make up 
a closed circle of trust.

In OpenID world, that is an open world, an user can choose 
any IdP (OpenID provider as OpenID term) and RP can accept 
assertions from hundreds of OPs. To realize this, RP should 
process the OP selection before making an authentication 
request. This means usually OpenID require an 
user-interaction as the first step.

It is true that RP can do the first user-interaction 
implicitly with cookies, or skip it always using hard-coded 
OP. But those are not typical SSO nor OpenID use-case.