[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
John Bradley
ve7jtb at ve7jtb.com
Thu Sep 1 21:58:32 UTC 2011
One issue to think about is that with all of our XSRF protections we no longer have a way to do IdP initiated login.
It was a feature of openID 2.0 that was almost never used. I know that it is used more in SAML SSO.
We could add back the ability to do it by adding a claim to the id_token if the authorization server is initiating the login, that way the RP would know that the nonce is IdP generated.
I don't know that the additional complexity and security issues are worth it.
I thought I would mention it, in case someone cares deeply about it.
John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110901/5bad4aac/attachment.p7s>
More information about the Openid-specs-ab
mailing list