<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Just thinking of using the openid session between two websites as glue, between 2 browser sessions : https to IDP, https to SP. The cert (a signed token with embedded URIs) over (hmac-authenticated) AX is the glue. its upto both IDP and SP to independently request the (same) cert.<BR><br> Now, in the era of homerealm selectors (openid connect, I think, too), there can be multiple home selectors in a chain.<BR> <BR>For example, I found one by accident in our own testing universe:<BR> <BR><a href="https://ssoportal.rapmlsstg.com/BARI/homerealm.aspx">https://ssoportal.rapmlsstg.com/BARI/homerealm.aspx</a> has a vendor's system (PingFederate) present a list of IDPs (largely according to SAML's spec and counsel). Its an unadorned, default rendering (thats awful to look at).<BR> <BR> <BR>One Idp on the list is <span id="ctl00_STSLabel">ssologinstage.utcfireandsecurity.com. Choose it, and it presents its own additional home realm selector. If I recall the project with the partner, it was an ADFS v2 integration. I dont know it it conforms with the SAML model for domain cookies, or not, though.</span><BR><span></span> <BR><span>So, just as there are now in reality chains of passive STS for requesting and returning assertions (with or without protocol and blob format conversion), there are evidently chains of home realm selectors.</span><BR><span></span> <BR><span></span> <BR><div><hr id="stopSpelling">Subject: Re: [OpenID] openid and account linking<br>From: ve7jtb@ve7jtb.com<br>Date: Fri, 5 Aug 2011 17:21:09 -0400<br>CC: openid-general@lists.openid.net<br>To: home_pw@msn.com<br><br>
<meta name="Generator" content="Microsoft SafeHTML"><base>I don't know of anyone doing that. <div><br></div><div>There have been some dissuasions about doing holder of key as an option in openID Connect for high security (LoA 4) use cases.</div><div><br></div><div>It wouldn't be hard to do in OpenID 2.0, but you will probably need to set up a special IdP.</div><div><br></div><div>I don't think MyOpenid ever passed on the cert as a AX attribute, it was just generating a JainRain cert for the primary authenticator.</div><div><br></div><div>John B.<br><div><div>On 2011-08-05, at 5:13 PM, Peter Williams wrote:</div><br class="ecxApple-interchange-newline"><blockquote><span style="font:/normal Helvetica; text-transform: none; text-indent: 0px; letter-spacing: normal; word-spacing: 0px; white-space: normal; border-collapse: separate; orphans: 2; widows: 2;" class="ecxApple-style-span"><div style="font-family: Tahoma; font-size: 10pt;" class="ecxhmmessage"><div dir="ltr">how long has it been since I first heard of openid? (digital ID world, San Jose)?<span class="ecxApple-converted-space"> </span><br> <br>Anyways, now 30% of the US towns offering an MLS website (for realtors) are capable of working with openid providers (thanks to Microsoft Azure gatewaying technology).<br> <br>We will see if anyone adopts it, now it works.<br> <br>if anyone cares, it was Microsoft delivery, architeture and packaging that sealed the day. They didnt seek to govern. They didnt bundle it with their cloud framework for hosting. They didnt force any openid-specific changed in the app. They didnt make us argue religious wars (is OAUTH better than openid, than SAML, than this or that). They dont update the code every 2 weeks. They did enable interoperability; and they did enable the DISTINCTIVE features of openid (webbiness) to showcase themselves.<br> <br>anyone know of a OP doing SSL client authn. Myopenid used to do it... but I cannot fathom how to turn it on, these days. What we NEED is for the OP to send the cert received via SSL client authn, as an AX attribute.... (We want to parse its AIA URI field(s), and dereference the rich metadata documents thereby identified)<br></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></span></blockquote></div><br></div></div> </div></body>
</html>