<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">RPs shouldn't rely on the login_id
having *any* effect on the IdP's processing and MUST NOT have any
expectations to the contrary. The transaction could come back with
a different user, it could come back with a pseudonymous account,
etc. The idea for this, as I understand it, is just for the RP to
provide a hint for better UX. It does nothing to change the
security profile.<br>
<br>
-- Justin<br>
<br>
On 08/30/2012 02:01 PM, Breno de Medeiros wrote:<br>
</div>
<blockquote
cite="mid:CAAJ++qEAf+_2ZJTyiVMR1zFbgUu9KcMJ9ah5vz64uTQRY-dWqQ@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Aug 30, 2012 at 11:00 AM,
Richer, Justin P. <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:jricher@mitre.org"
target="_blank">jricher@mitre.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
As far as the spec is concerned, that's up to the IdP. A
"Smart" IdP might prompt the user with something like:
<div><br>
</div>
<div>"You are logging in to site X who thinks you're Bob,
but you're logged in as Alice. Click here to log in as
Bob instead."</div>
</div>
</blockquote>
<div><br>
</div>
<div>Well, it might be useful to give RPs some expectations.
For instance, RPs should be expecting the case where they
supply a login_id but receive a session authenticated to a
different user.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><span class="HOEnZb"><font
color="#888888">
<div><br>
</div>
<div> -- Justin</div>
</font></span>
<div>
<div class="h5">
<div><br>
<div>
<div>On Aug 30, 2012, at 1:52 PM, Breno de
Medeiros wrote:</div>
<br>
<blockquote type="cite">Consider the case where
partners share a computer, or a user has a
personal account and a professional account with
the same IDP. If the currently logged-in user is
different from the suggested user via login_id,
what are the expectations?
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Aug 30, 2012
at 7:55 AM, Justin Richer <span dir="ltr">
<<a moz-do-not-send="true"
href="mailto:jricher@mitre.org"
target="_blank">jricher@mitre.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Ryo,<br>
<br>
We talked about this on the call this
morning. Right now, we're saying that
it's RECOMMENDED that they have the
same value, but it's not required.
Since there are currently two
discovery setups (SWD and
Webfinger/XRD) that use different
parameter names, it might be a moot
point to try and match those.<span><font
color="#888888"><br>
<br>
-- Justin</font></span>
<div>
<div><br>
<br>
On 08/30/2012 01:28 AM, Ryo Ito
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div>Do the principal parameter at
discovery request and login_id
parameter have same value?</div>
<div>If it is Yes, the unification
of the parameter name or
reference will help developers.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Ryo</div>
<br>
<div class="gmail_quote">2012/8/30
George Fletcher <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:gffletch@aol.com"
target="_blank">gffletch@aol.com</a>></span><br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF"
text="#000000"><font
face="Helvetica, Arial,
sans-serif">How about
adding the following to
section 2.1.2 of
Messages... after the
id_token parameter<br>
<br>
login_id<br>
OPTIONAL. A hint to
the authorization service
as to the login_id the
user may use to
authenticate (if
necessary). This hint can
be used by an RP if it
first asks the user for
their email address (or
other identifier) and then
wants to pass that value
as a hint to the
discovered authorization
service.<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div>
<div>
<div>On 8/29/12 2:00 PM,
Nat Sakimura wrote:<br>
</div>
<blockquote type="cite">
<div>Hey, now I am
getting the
support! </div>
<div><br>
</div>
<div>Could one of you
provide the actual
text proposal for
it? <br>
<br>
=nat via iPhone</div>
<div><br>
On Aug 30, 2012, at
1:40 AM, Chuck
Mortimore <<a
moz-do-not-send="true"
href="mailto:cmortimore@salesforce.com" target="_blank">cmortimore@salesforce.com</a>>
wrote:<br>
<br>
</div>
<blockquote
type="cite">
<div>
<div>+1 <br>
<br>
- cmort</div>
<div><br>
On Aug 29, 2012,
at 9:26 AM, "Pam
Dingle" <<a
moz-do-not-send="true"
href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a>>
wrote:<br>
<br>
</div>
<blockquote
type="cite">
<div>+1 from me
too - need
this for
account
chooser, among
other things.<br>
<br>
<div
class="gmail_quote">On
Wed, Aug 29,
2012 at 8:39
AM, Richer,
Justin P. <span
dir="ltr">
<<a
moz-do-not-send="true"
href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0
0 0
.8ex;border-left:1px
#ccc
solid;padding-left:1ex">
<div
style="word-wrap:break-word">+1,
I've asked for
this feature
too.
<div><br>
</div>
<div> --
Justin</div>
<div><br>
<div>
<div>
<div>
<div>On Aug
29, 2012, at
11:27 AM,
George
Fletcher
wrote:</div>
<br>
</div>
</div>
<blockquote
type="cite">
<div>
<div>
<div
bgcolor="#FFFFFF"
text="#000000"><font
face="Helvetica,
Arial,
sans-serif">Hi,<br>
<br>
We've run into
a case where
it would be
nice to be
able to pass
into the
/authorize
endpoint a
value to
pre-fill the
loginid field
on the
authentication
UI. We allow
for an
id_token to be
passed as a
hint of the
desired user,
but this only
works for an
"already
authenticated"
use case.<br>
<br>
If we consider
the Account
Chooser case
where what is
stored is the
user's email
address, it
would be nice
to be able to
start the
identity
federation
flow passing
that email
address along
to the IdP.
<br>
<br>
Did I just
miss support
for this in
the specs?<br>
<br>
Thanks,<br>
George<br>
</font>
<pre cols="72">--
Chief Architect AIM: gffletch
Identity Services Engineering Work: <a moz-do-not-send="true" href="mailto:george.fletcher@teamaol.com" target="_blank">george.fletcher@teamaol.com</a>
AOL Inc. Home: <a moz-do-not-send="true" href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>
Mobile: <a moz-do-not-send="true" href="tel:%2B1-703-462-3494" value="+17034623494" target="_blank">+1-703-462-3494</a> Blog: <a moz-do-not-send="true" href="http://practicalid.blogspot.com/" target="_blank">http://practicalid.blogspot.com</a>
Office: <a moz-do-not-send="true" href="tel:%2B1-703-265-2544" value="+17032652544" target="_blank">+1-703-265-2544</a> Twitter: <a moz-do-not-send="true" href="http://twitter.com/gffletch" target="_blank">http://twitter.com/gffletch</a>
</pre>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br
clear="all">
<div><br>
</div>
-- <br>
<span><font
style="color:rgb(52,54,52);font-size:12px"
face="Tahoma"
color="#343634"><strong><span>Pamela Dingle</span></strong> | <span>Sr.
Technical
Architect</span></font><br>
<font
style="font-size:11px"
face="Arial"><font
face="Tahoma"
color="#343634"><strong>Ping</strong></font><font face="Tahoma"
color="#E71939"><strong>Identity</strong></font> |
<a
moz-do-not-send="true"
href="http://www.pingidentity.com/" target="_blank">www.pingidentity.com</a><br>
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - -<br>
<font
color="#005568"><strong>O:</strong></font> <font
color="#343634"><span><a moz-do-not-send="true" href="tel:303-999-5890"
value="+13039995890" target="_blank">303-999-5890</a></span></font> <font
color="#005568"><strong>M:</strong></font> <font color="#343634"><span><a
moz-do-not-send="true" href="tel:303-999-5890" value="+13039995890"
target="_blank">303-999-5890</a></span></font><br>
<font
color="#005568"><strong>Email:</strong></font> <span><a
moz-do-not-send="true" href="mailto:pdingle@pingidentity.com"
target="_blank">pdingle@pingidentity.com</a></span><br>
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - -<br>
<table
cellpadding="0"
cellspacing="0">
<tbody>
<tr
valign="top">
<td
nowrap="nowrap">
<div
style="float:left"><font
style="font-size:11px" face="Arial"><font color="#005568"><strong>Connect
with Ping</strong></font><br>
<font
color="#000000">Twitter:
@pingidentity</font><br>
<font
color="#000000">LinkedIn
Group: Ping's
Identity Cloud</font>
<br>
<font
color="#000000"><a
moz-do-not-send="true" href="http://Facebook.com/pingidentitypage"
target="_blank">Facebook.com/pingidentitypage</a></font></font></div>
</td>
<td
nowrap="nowrap">
<div
style="margin-left:20px"><font
style="font-size:11px" face="Arial"><font color="#005568"><strong><span>Connect
with me</span></strong></font><br>
<font
color="#000000"><span>Twitter:
@pamelarosiedee</span></font><br>
<font
color="#000000"><span></span></font></font></div>
</td>
</tr>
</tbody>
</table>
</font></span><br>
</div>
</blockquote>
<blockquote
type="cite">
<div><span>_______________________________________________</span><br>
<span>Openid-specs-ab
mailing list</span><br>
<span><a
moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<blockquote
type="cite">
<div><span>_______________________________________________</span><br>
<span>Openid-specs-ab
mailing list</span><br>
<span><a
moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a
moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
====================<br>
Ryo Ito<br>
Email : <a moz-do-not-send="true"
href="mailto:ritou.06@gmail.com"
target="_blank">ritou.06@gmail.com</a><br>
====================<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a moz-do-not-send="true" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
--Breno<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
--Breno<br>
<br>
</div>
</blockquote>
<br>
</body>
</html>