[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Fri Sep 2 17:57:35 UTC 2011
This might be usefull for an active client.
The ISA initiates the flow and sends the unsolicited positive assertion to the OC.
What does OpenID Connect have to support intelligent agents?
-Axel
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf
> Of John Bradley
> Sent: Thursday, September 01, 2011 11:59 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited
> positive assertion.
>
> One issue to think about is that with all of our XSRF
> protections we no longer have a way to do IdP initiated login.
>
> It was a feature of openID 2.0 that was almost never used. I
> know that it is used more in SAML SSO.
>
> We could add back the ability to do it by adding a claim to
> the id_token if the authorization server is initiating the
> login, that way the RP would know that the nonce is IdP generated.
>
> I don't know that the additional complexity and security
> issues are worth it.
>
> I thought I would mention it, in case someone cares deeply about it.
>
> John B.
>
More information about the Openid-specs-ab
mailing list