[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
Andreas Åkre Solberg
andreas.solberg at uninett.no
Tue Sep 6 17:43:39 UTC 2011
We have a very specific use of unsolicited response (in SAML).
Our experience shows that users do at least two (stupid) things (surprisingly often):
* Use the back button in the browser after login.
* Bookmark the login page of a service (at the provider, but the user does not know).
Both these situations tends to break hard on a SSO system. What we've done in our SAML IdP to solve the user experience is the following; in the IdP on the login page we include a 'restart url' in the URL. If the IdP is not able to retreive the state from the state storage, it will fall back to redirect to the restart url. The 'restart url' includes enough information to perform an unsolicited response to the relevant service provider. This fix solves both two problems to some extend.
A simple alternative that might be used to solve this problem with an OpenID Connect provider (simpler than adding support for unsolicited response), is to add an optional parameter 'restart url' in the authroization request object. If the Provider for some reason is not able to restore the current state (because of back button or bookmark, or similar), it may redirect to the restart url at the RP, and the RP will send a new authroization request, and give a decent user experience.
Andreas
More information about the Openid-specs-ab
mailing list