[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.

Tue Sep 6 17:44:38 UTC 2011

As an additional datapoint, I know of a large web portal that uses
unsolicited positive assertions when linking to partner websites.
Unsolicited postive assertions are used to keep the user seamlessly logged
in when clicking on links from one domain to another domain.

This web portal has links to external sites hosted by partners on other
domains. A user who is logged into the portal can click on a link from the
portal to the partner's site, and automatically be logged in to the
partner's domain.

Interestingly, in some cases, SSO worked in both directions, in what can be
described as a dual-IdP setup. The user could also log into the partner's
website, and then click on a sponsored link to the portal's site, and
automatically be logged into the portal.

In order to prevent session fixation attacks, it would be be a good idea for
the RP to bounce the browser back to the IdP to make sure that it's the same
browser that clicked on the link.

Allen

On Tue, Sep 6, 2011 at 10:24 AM, Breno de Medeiros <breno at google.com> wrote:

> On Sun, Sep 4, 2011 at 13:45, John Bradley <ve7jtb at ve7jtb.com> wrote:
> > Yes Microsoft did make use of unsolicited positive assertions for their
> prototype openID selector.
> >
> > A possible simple way around it would be for the RP to have an endpoint
> where a intelligent agent could make a request to start a session,  that
> would allow the RP to provide it's client id for the IdP,  state and nonce.
> > Without those a intelligent agent, won't be able to make a OAuth request.
>
> I think an endpoint for the RP to start the request is a better
> approach than unsolicited assertions. It is more likely to be
> maintainable. Consider for instance, that RPs may want to request
> different attribute sets and that may evolve over time.
>
> >
> > With per IdP client ID and secrets it is a challenge.   You really want
> global RP identifiers and asymmetric signatures to make a intelligent agent
> work reliably.
> >
> > John
> >
> > On 2011-09-02, at 2:57 PM, <Axel.Nennker at telekom.de> <
> Axel.Nennker at telekom.de> wrote:
> >
> >> This might be usefull for an active client.
> >> The ISA initiates the flow and sends the unsolicited positive assertion
> to the OC.
> >>
> >> What does OpenID Connect have to support intelligent agents?
> >>
> >> -Axel
> >>
> >>> -----Original Message-----
> >>> From: openid-specs-ab-bounces at lists.openid.net
> >>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf
> >>> Of John Bradley
> >>> Sent: Thursday, September 01, 2011 11:59 PM
> >>> To: openid-specs-ab at lists.openid.net
> >>> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited
> >>> positive assertion.
> >>>
> >>> One issue to think about is that with all of our XSRF
> >>> protections we no longer have a way to do IdP initiated login.
> >>>
> >>> It was a feature of openID 2.0 that was almost never used.  I
> >>> know that it is used more in SAML SSO.
> >>>
> >>> We could add back the ability to do it by adding a claim to
> >>> the id_token if the authorization server is initiating the
> >>> login, that way the RP would know that the nonce is IdP generated.
> >>>
> >>> I don't know that the additional complexity and security
> >>> issues are worth it.
> >>>
> >>> I thought I would mention it, in case someone cares deeply about it.
> >>>
> >>> John B.
> >>>
> >
> >
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
> >
> >
>
>
>
> --
> --Breno
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110906/b8cd5b02/attachment.html>