[OpenID] Feedback from OpenID demo

Peter Williams pwilliams at rapattoni.com
Sun May 24 16:43:56 UTC 2009 

concerning auto-signout, in the delegated flow no one OP controls all RP sessions in play in a mashup - where multiple browser tabs are a simplistic mashup.

Furthermore, one OP SHOULD NOT know that user has sessions on other OPs. By implication, OPx should not know that the user has authorized OPy to release user assertions to those RPs bound only to OPy. As an axiom, no one RP should know that the current user/browser has a view on other RPs.

SLO really only works well in idp-centric trust models, in which the IDP is a policy authority controlling the mashup view (with notions such as auto - login, auto - logout).

In a user centric view (which is what openid used to be), only the user/browser knows the complete security state - and this condition preserves the separation of OPs, RPs, and OP->RP associations.

If we look analytically rather than intuitively now, with XRI delegation one must assume some RPs choose OPx while others choose OP from the multiple service elements listed in the XRDs returned by XRI 2.0 Resolution.  A RPi chooses an OPj based in part on trust model negotiation, which is out of scope of openid auth (and OpenID) - but in scope for patents of course. The choice of OP is guided by the XRDs, which in turn are resolved according to the prescriptions of the XRI query the user provides.


--------

If we take a concrete example, finally, on today's Google Apps websso-powered site one can build one's own personal mashup site, using Google Apps plugins. One plugin is a view of MSN messenger IM tool, and another is a view of a Microsoft Exchange inbox tool. Messenger requires a subsidiary live.com security association (using a run of the ws-federation passive websso protocol), and Exchange requires a subsidiary windows network security association (using a run of the Active/Directory/kerberos websso protocol) today.

Now, one can access that mashup site showing multiple plugins using SAML2 Websso from ones own IDP today - as Google have made the page a relying party of an assertion, just like any other. Using a openid/SAML2 gateway from Trustbearer, one can even have an OpenID OP (e.g. Google itself) assert (indirectly) to get a session on Google Apps.

If one were to have the OP/IDP now send Google Apps an SLO logout request, would you expect to anything to happen to those subsidiary ws-fed and kerberos sessions? Of course not! Surely? They are not even visible to the IDP/OP, despite being visible to the user on the same mashup site. Though the user would lose the view of those messenger/outlook sites from the Google mashup/plugin site upon SLO, other tools on the PC desktop would and should still have access to a viable ws-fed or kerberos sessions


________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Steven Livingstone-Perez [weblivz at hotmail.com]
Sent: Saturday, May 23, 2009 1:34 PM
To: Andrew Arnott; SitG Admin
Cc: general at openid.net
Subject: Re: [OpenID] Feedback from OpenID demo

I can imagine some kind of OP managed RP ruleset login/logout would be
useful (based on how i typically log in/out of sites each day).

At its simplest could could say that logging out of RP1 should also log me
in/out of a set of related RP's under Profile 1. Profile 2 may be a
different set of RP's. This is actually pretty common - take for example how
Windows Live logs you into a bunch of partner sites (but i'm not sure how
they control SSO logout).

--
steven
http://livz.org

--------------------------------------------------
From: "SitG Admin" <sysadmin at shadowsinthegarden.com>
Sent: Saturday, May 23, 2009 9:15 PM
To: "Andrew Arnott" <andrewarnott at gmail.com>
Cc: <general at openid.net>
Subject: Re: [OpenID] Feedback from OpenID demo

>>If OpenID is to add single sign-out, it MUST be comprehensive.  That is,
>>the OP must coordinate logging the user out of EVERY RP he logged into
>>during that OP's session.
>
> But here's where I want granularity: SSO is supposed to make things
> *easier*, not make some things IMPOSSIBLE.
>
> If the OP is like a proxy saying "I will automatically log you into
> whatever RP you have previously approved.", it should logically be
> possible for me to disable that SSO functionality so it STOPS
> automatically logging me into those RP's, *without* completely terminating
> my internet connection by turning off the proxy entirely (i.e., killing my
> sessions at the RP's I *want* to continue interacting with).
>
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list