[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
John Bradley
ve7jtb at ve7jtb.com
Tue Sep 6 17:42:29 UTC 2011
I think that an initilization endpoint that can be a static document is the best approach.
That may need to contain clientid for multiple IdP.
John
On 2011-09-06, at 2:24 PM, Breno de Medeiros wrote:
> On Sun, Sep 4, 2011 at 13:45, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> Yes Microsoft did make use of unsolicited positive assertions for their prototype openID selector.
>>
>> A possible simple way around it would be for the RP to have an endpoint where a intelligent agent could make a request to start a session, that would allow the RP to provide it's client id for the IdP, state and nonce.
>> Without those a intelligent agent, won't be able to make a OAuth request.
>
> I think an endpoint for the RP to start the request is a better
> approach than unsolicited assertions. It is more likely to be
> maintainable. Consider for instance, that RPs may want to request
> different attribute sets and that may evolve over time.
>
>>
>> With per IdP client ID and secrets it is a challenge. You really want global RP identifiers and asymmetric signatures to make a intelligent agent work reliably.
>>
>> John
>>
>> On 2011-09-02, at 2:57 PM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
>>
>>> This might be usefull for an active client.
>>> The ISA initiates the flow and sends the unsolicited positive assertion to the OC.
>>>
>>> What does OpenID Connect have to support intelligent agents?
>>>
>>> -Axel
>>>
>>>> -----Original Message-----
>>>> From: openid-specs-ab-bounces at lists.openid.net
>>>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf
>>>> Of John Bradley
>>>> Sent: Thursday, September 01, 2011 11:59 PM
>>>> To: openid-specs-ab at lists.openid.net
>>>> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited
>>>> positive assertion.
>>>>
>>>> One issue to think about is that with all of our XSRF
>>>> protections we no longer have a way to do IdP initiated login.
>>>>
>>>> It was a feature of openID 2.0 that was almost never used. I
>>>> know that it is used more in SAML SSO.
>>>>
>>>> We could add back the ability to do it by adding a claim to
>>>> the id_token if the authorization server is initiating the
>>>> login, that way the RP would know that the nonce is IdP generated.
>>>>
>>>> I don't know that the additional complexity and security
>>>> issues are worth it.
>>>>
>>>> I thought I would mention it, in case someone cares deeply about it.
>>>>
>>>> John B.
>>>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
>
>
> --
> --Breno
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110906/c3217bd6/attachment.p7s>
More information about the Openid-specs-ab
mailing list