[Openid-specs-ab] [External Sender] Re: IDP Hint for /authorization requests

Brock Allen brockallen at gmail.com
Wed Aug 3 14:36:27 UTC 2022 

FWIW, we've used acr_values with a formatted value "idp:name_of_idp" approach. 

Similarly we also have used acr_values to pass tenant requirements with a formatted "tenant:name_of_tenant" for multi-tenant OP/AS scenarios.


-Brock
On 8/3/2022 10:32:09 AM, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
So it seems that we have many implementations of this concept. I think what I'm looking for is whether we should try and standardize a parameter for this use case, or just leave each domain to define their own way to enable this functionality.

Thanks,
George

On Wed, Aug 3, 2022 at 10:22 AM Marcus Hardt via Openid-specs-ab <openid-specs-ab at lists.openid.net [mailto:openid-specs-ab at lists.openid.net]> wrote:

Hi There,

we've gone through this exercise within the AARC project. The scenario is
slightly more complex (we have this proxy architecture, and we're
protocol-agnostic-enough so that's also implementable in SAML), but I
think your use-case is fully covered in AARC-G061 [1].

[1] https://aarc-community.org/guidelines/aarc-g061/ [https://aarc-community.org/guidelines/aarc-g061/]


The longer part of the story is, that we originally had the 'idphint'
parameter, which was too loosely defined. Hence we defined it as
'aarc_idp_hint'.

Essentially, it is a single-values url-encoded StringOrURI.

The actual value is not specified, but I think it is generally assumed to
refer to either an 'iss' or in SAML to an 'entityID'.


If this aarc recommendation is not enough or too much from your
perspective, I think the original authors could be motivated to
participate in the discussion here.

Best,
Marcus.


On 02. Aug 2022 11:22, George Fletcher wrote:
> Hi,
>
> I know I've mentioned this in the past and wanted to bring it up again. If
> an OpenID Provider allows for federation with multiple IDPs, there are
> times the client wants to "tell" the OP which of those federated IDPs to
> use.
>
> In a social login context, this can allow the client to specifically tell
> the OP to use Facebook for authenticating this user. However, this pattern
> is used in many other contexts.
>
> Any interest in writing a very small spec to enable an 'idp_hint' parameter
> that can be passed as part of the /authorization request? I suppose this
> could also go to the IETF as it's not specific to ODIC.
>
> Thoughts?
>
> Thanks,
> George
>
> ______________________________________________________________________
>
>
>
> The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220802/74656401/attachment.html [http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220802/74656401/attachment.html]>
>

--
Marcus.
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net [mailto:Openid-specs-ab at lists.openid.net]
https://lists.openid.net/mailman/listinfo/openid-specs-ab [https://lists.openid.net/mailman/listinfo/openid-specs-ab]



The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.



_______________________________________________ Openid-specs-ab mailing list Openid-specs-ab at lists.openid.net https://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220803/c6c9c61a/attachment.html>

More information about the Openid-specs-ab mailing list