<div dir="ltr">There is no trusted OP in my ideal scenario... unless it was the Org's OP in question, but I'm trying to avoid creating that... or at least the need to log in with that Org's OP.<div><br></div><div>
With an XRI, is there no way to add a <Service> in the XRDS file that somehow would point to the Org in some special way that could (with programming on the RP's side) allow the RP to contact the Org programmatically and check membership? The XRDS seems like an ideal place to put it. </div>
<div><br><div class="gmail_quote">On Mon, Sep 15, 2008 at 4:52 PM, Nate Klingenstein <span dir="ltr"><<a href="mailto:ndk@internet2.edu">ndk@internet2.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Andrew,<br>
<br>
As long as the identifier itself is both the expression of membership and inextricably linked to a DNS name, your scenario is pretty difficult to realize without placing requirements on the organization that many today would judge impractical. The obvious answer is to send an attribute that represents "this is a member of organization XYZ", and allow the trusted OP to assert that information on behalf of organization XYZ.<br>
<br>
However, OpenID support for attributes has been mostly theoretical to this point in time. I would like to see that change, but there's a lot of inertia now and a huge focus on imputing meaning to the identifier itself.<br>
<br>
Take care,<br><font color="#888888">
Nate.</font><div><div></div><div class="Wj3C7c"><br>
<br>
On 15 Sep 2008, at 23:45, Andrew Arnott wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
How can an RP accept an OpenID Identifier from arbitrary OPs, but at each login determine whether the Identifier represents a user who belongs to a particular Organization? Basically the Organization needs to send an assertion about the Identifier's membership, but only be willing to do so if that identifier is confirmed as having logged in successfully to that RP. This would be easy to do if that Org was an OP, but I'm trying to reduce the # of reasons to be an OP.<br>
</blockquote>
<br>
</div></div></blockquote></div><br></div></div>