[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.

Anthony Nadalin tonynad at microsoft.com
Wed Sep 7 21:05:39 UTC 2011 

Please note that the prototype selector was just that and has not gone further

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
Sent: Tuesday, September 06, 2011 10:25 AM
To: John Bradley
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.

On Sun, Sep 4, 2011 at 13:45, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes Microsoft did make use of unsolicited positive assertions for their prototype openID selector.
>
> A possible simple way around it would be for the RP to have an endpoint where a intelligent agent could make a request to start a session,  that would allow the RP to provide it's client id for the IdP,  state and nonce.
> Without those a intelligent agent, won't be able to make a OAuth request.

I think an endpoint for the RP to start the request is a better approach than unsolicited assertions. It is more likely to be maintainable. Consider for instance, that RPs may want to request different attribute sets and that may evolve over time.

>
> With per IdP client ID and secrets it is a challenge.   You really want global RP identifiers and asymmetric signatures to make a intelligent agent work reliably.
>
> John
>
> On 2011-09-02, at 2:57 PM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
>
>> This might be usefull for an active client.
>> The ISA initiates the flow and sends the unsolicited positive assertion to the OC.
>>
>> What does OpenID Connect have to support intelligent agents?
>>
>> -Axel
>>
>>> -----Original Message-----
>>> From: openid-specs-ab-bounces at lists.openid.net
>>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John 
>>> Bradley
>>> Sent: Thursday, September 01, 2011 11:59 PM
>>> To: openid-specs-ab at lists.openid.net
>>> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited positive 
>>> assertion.
>>>
>>> One issue to think about is that with all of our XSRF protections we 
>>> no longer have a way to do IdP initiated login.
>>>
>>> It was a feature of openID 2.0 that was almost never used.  I know 
>>> that it is used more in SAML SSO.
>>>
>>> We could add back the ability to do it by adding a claim to the 
>>> id_token if the authorization server is initiating the login, that 
>>> way the RP would know that the nonce is IdP generated.
>>>
>>> I don't know that the additional complexity and security issues are 
>>> worth it.
>>>
>>> I thought I would mention it, in case someone cares deeply about it.
>>>
>>> John B.
>>>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



--
--Breno
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list