[OpenID] OpenID and SSO

Dick Hardt dick at sxip.com
Fri Jun 27 14:25:37 UTC 2008 

I agree with your analysis on how OpenID and SSO implementations often  
work today.

Presuming one of our objectives is to simplify the user experience of  
logging into websites. From the users point of view, they  want to  
login once and be done with it. This is the user view of SSO.

OpenID does achieve this in the right  circumstances.

*if* the RP remembers the user's OpenID the first time they visit the  
site and the user only uses one OpenID on the site, then when the user  
returns, and if the RP autofills the OpenID in the form, then the user  
just has to click the submit button to login (assuming they have a  
valid session at their OP and their OP is configured to automatically  
login to that RP

Lots of assumptions in this flow, definitely room for improvement.

Question: do people think improving this is important?

On 26-Jun-08, at 6:57 PM, NISHITANI Masaki wrote:

> Basically, there is a fundamental conflict between ordinary
> SSO and OpenID, I think.
>
> SSO is to be defined an authentication/authorization method
> to treat many sites as one. In SSO world, an end-user does
> not need to care which site it is actually visiting.
>
> In contrast,the purpose of OpenID is to accept the result of
> authentication (assertion) from other sites. OpenID is
> designed to distinguish one site from another.
>
> Technically, SSO requires sites to know which identity
> provider (IdP) the user belongs to without any user
> interaction. Usually this is implemented to configure only
> one IdP in sites, and as the result, the every sites make up
> a closed circle of trust.
>
> In OpenID world, that is an open world, an user can choose
> any IdP (OpenID provider as OpenID term) and RP can accept
> assertions from hundreds of OPs. To realize this, RP should
> process the OP selection before making an authentication
> request. This means usually OpenID require an
> user-interaction as the first step.
>
> It is true that RP can do the first user-interaction
> implicitly with cookies, or skip it always using hard-coded
> OP. But those are not typical SSO nor OpenID use-case.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list