[OpenID] Combining Google & Yahoo user experience research
Peter Williams
pwilliams at rapattoni.com
Wed Oct 22 14:04:16 UTC 2008
We just went through this in our little IDP (merely a quarter-million users, using some or other commodity PC stuff in unmanaged lans, usually). Hardly a google/yahoo/aol scale operation...so, perhaps it doesn't count in OpenID land.
But, Users cntl-N all the time, using IE, and in one frame they logout/login as a new user on the same site. The point is ... that IE and ASP.NET have specific session models, and you have to be careful with sso protocols (SAML now, and presumably OpenID2 once the Board endorse and promote it for enterprise websso).
We too just ended up recognizing when a user has multiple login sessions on the IDP (in one or more "child browsers" on one secure desktop instance), and force the user to choose one of them (or a third) before responding to the sso requestor. This need not be the local security context identity presently used on the spoke being viewed in the invoking browser instance, note, that initiates sso to another spoke.
This is harder to do with SAML than (it would be) with OpenID2, as SAML has mandatory signals that the IDP must observe ...that control UI. One must produce the correct SAML error too, sometimes, to be conforming and/or allow the better written RP site to recover gracefully.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Allen Tom
Sent: Tuesday, October 21, 2008 7:34 PM
To: George Fletcher
Cc: Martin Atkins; OpenID List
Subject: Re: [OpenID] Combining Google & Yahoo user experience research
George Fletcher wrote:
> I don't think the OP should ignore it... but if the user is already
> signed into the OP with a different identifier, then the user should be
> presented with the situation (you are currently signed in with x but
> specified y) and be allowed to chose what to do next (either continue
> with x, or logout x and attempt to authenticate y).
>
>
> Also, if the RP is passing the whole "email address" to the OP, does
> that just go in the openid.claimed_id parameter of the authentication
> request? I'm assuming that "Normalization (section 7.2)" will have no
> issues with resolving http://user@example.com?
>
>
Just as a clarification - I believe that a case could be made to allow
the OP to return a different identifier than what was claimed, however,
the spec must be unambiguous about this.
> I did some simple testing and at least one major site doesn't handle the
> current "Accept: application/xrds+xml" header on requests to
> http://user@example.com.
>
There's definitely room for improvement for clarifying how OpenID
discovery is supposed to work. Hopefully, discovery can be clarified in
a future version of the spec.
Allen
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list