<br><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Aug 30, 2012 at 11:22 AM, Justin Richer <span dir="ltr"><<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>RPs shouldn't rely on the login_id
having *any* effect on the IdP's processing and MUST NOT have any
expectations to the contrary. The transaction could come back with
a different user, it could come back with a pseudonymous account,
etc. The idea for this, as I understand it, is just for the RP to
provide a hint for better UX. It does nothing to change the
security profile.</div></div></blockquote><div><br></div><div>SGTM.</div><div><br></div><div>FTR, Google already supports hinting this under the (somewhat unfortunate) 'user_id' parameter, and aliasing it to 'login_id' would be very simple.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div><span class=""><font color="#888888"><br>
<br>
-- Justin</font></span><div><div class="h5"><br>
<br>
On 08/30/2012 02:01 PM, Breno de Medeiros wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<br>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Aug 30, 2012 at 11:00 AM,
Richer, Justin P. <span dir="ltr"><<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">
As far as the spec is concerned, that's up to the IdP. A
"Smart" IdP might prompt the user with something like:
<div><br>
</div>
<div>"You are logging in to site X who thinks you're Bob,
but you're logged in as Alice. Click here to log in as
Bob instead."</div>
</div>
</blockquote>
<div><br>
</div>
<div>Well, it might be useful to give RPs some expectations.
For instance, RPs should be expecting the case where they
supply a login_id but receive a session authenticated to a
different user.</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><span><font color="#888888">
<div><br>
</div>
<div> -- Justin</div>
</font></span>
<div>
<div>
<div><br>
<div>
<div>On Aug 30, 2012, at 1:52 PM, Breno de
Medeiros wrote:</div>
<br>
<blockquote type="cite">Consider the case where
partners share a computer, or a user has a
personal account and a professional account with
the same IDP. If the currently logged-in user is
different from the suggested user via login_id,
what are the expectations?
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Aug 30, 2012
at 7:55 AM, Justin Richer <span dir="ltr">
<<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Ryo,<br>
<br>
We talked about this on the call this
morning. Right now, we're saying that
it's RECOMMENDED that they have the
same value, but it's not required.
Since there are currently two
discovery setups (SWD and
Webfinger/XRD) that use different
parameter names, it might be a moot
point to try and match those.<span><font color="#888888"><br>
<br>
-- Justin</font></span>
<div>
<div><br>
<br>
On 08/30/2012 01:28 AM, Ryo Ito
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div>Do the principal parameter at
discovery request and login_id
parameter have same value?</div>
<div>If it is Yes, the unification
of the parameter name or
reference will help developers.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Ryo</div>
<br>
<div class="gmail_quote">2012/8/30
George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><font face="Helvetica, Arial,
sans-serif">How about
adding the following to
section 2.1.2 of
Messages... after the
id_token parameter<br>
<br>
login_id<br>
OPTIONAL. A hint to
the authorization service
as to the login_id the
user may use to
authenticate (if
necessary). This hint can
be used by an RP if it
first asks the user for
their email address (or
other identifier) and then
wants to pass that value
as a hint to the
discovered authorization
service.<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div>
<div>
<div>On 8/29/12 2:00 PM,
Nat Sakimura wrote:<br>
</div>
<blockquote type="cite">
<div>Hey, now I am
getting the
support! </div>
<div><br>
</div>
<div>Could one of you
provide the actual
text proposal for
it? <br>
<br>
=nat via iPhone</div>
<div><br>
On Aug 30, 2012, at
1:40 AM, Chuck
Mortimore <<a href="mailto:cmortimore@salesforce.com" target="_blank">cmortimore@salesforce.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<div>+1 <br>
<br>
- cmort</div>
<div><br>
On Aug 29, 2012,
at 9:26 AM, "Pam
Dingle" <<a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>+1 from me
too - need
this for
account
chooser, among
other things.<br>
<br>
<div class="gmail_quote">On
Wed, Aug 29,
2012 at 8:39
AM, Richer,
Justin P. <span dir="ltr">
<<a href="mailto:jricher@mitre.org" target="_blank">jricher@mitre.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word">+1,
I've asked for
this feature
too.
<div><br>
</div>
<div> --
Justin</div>
<div><br>
<div>
<div>
<div>
<div>On Aug
29, 2012, at
11:27 AM,
George
Fletcher
wrote:</div>
<br>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div bgcolor="#FFFFFF" text="#000000"><font face="Helvetica,
Arial,
sans-serif">Hi,<br>
<br>
We've run into
a case where
it would be
nice to be
able to pass
into the
/authorize
endpoint a
value to
pre-fill the
loginid field
on the
authentication
UI. We allow
for an
id_token to be
passed as a
hint of the
desired user,
but this only
works for an
"already
authenticated"
use case.<br>
<br>
If we consider
the Account
Chooser case
where what is
stored is the
user's email
address, it
would be nice
to be able to
start the
identity
federation
flow passing
that email
address along
to the IdP.
<br>
<br>
Did I just
miss support
for this in
the specs?<br>
<br>
Thanks,<br>
George<br>
</font>
<pre cols="72">--
Chief Architect AIM: gffletch
Identity Services Engineering Work: <a href="mailto:george.fletcher@teamaol.com" target="_blank">george.fletcher@teamaol.com</a>
AOL Inc. Home: <a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>
Mobile: <a href="tel:%2B1-703-462-3494" value="+17034623494" target="_blank">+1-703-462-3494</a> Blog: <a href="http://practicalid.blogspot.com/" target="_blank">http://practicalid.blogspot.com</a>
Office: <a href="tel:%2B1-703-265-2544" value="+17032652544" target="_blank">+1-703-265-2544</a> Twitter: <a href="http://twitter.com/gffletch" target="_blank">http://twitter.com/gffletch</a>
</pre>
</div>
</div>
</div>
_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab
mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<span><font style="color:rgb(52,54,52);font-size:12px" face="Tahoma" color="#343634"><strong><span>Pamela Dingle</span></strong> | <span>Sr.
Technical
Architect</span></font><br>
<font style="font-size:11px" face="Arial"><font face="Tahoma" color="#343634"><strong>Ping</strong></font><font face="Tahoma" color="#E71939"><strong>Identity</strong></font> |
<a href="http://www.pingidentity.com/" target="_blank">www.pingidentity.com</a><br>
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - -<br>
<font color="#005568"><strong>O:</strong></font> <font color="#343634"><span><a href="tel:303-999-5890" value="+13039995890" target="_blank">303-999-5890</a></span></font> <font color="#005568"><strong>M:</strong></font> <font color="#343634"><span><a href="tel:303-999-5890" value="+13039995890" target="_blank">303-999-5890</a></span></font><br>
<font color="#005568"><strong>Email:</strong></font> <span><a href="mailto:pdingle@pingidentity.com" target="_blank">pdingle@pingidentity.com</a></span><br>
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - - - -
- - - - -<br>
<table cellpadding="0" cellspacing="0">
<tbody>
<tr valign="top">
<td nowrap>
<div style="float:left"><font style="font-size:11px" face="Arial"><font color="#005568"><strong>Connect
with Ping</strong></font><br>
<font color="#000000">Twitter:
@pingidentity</font><br>
<font color="#000000">LinkedIn
Group: Ping's
Identity Cloud</font>
<br>
<font color="#000000"><a href="http://Facebook.com/pingidentitypage" target="_blank">Facebook.com/pingidentitypage</a></font></font></div>
</td>
<td nowrap>
<div style="margin-left:20px"><font style="font-size:11px" face="Arial"><font color="#005568"><strong><span>Connect
with me</span></strong></font><br>
<font color="#000000"><span>Twitter:
@pamelarosiedee</span></font><br>
<font color="#000000"><span></span></font></font></div>
</td>
</tr>
</tbody>
</table>
</font></span><br>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Openid-specs-ab
mailing list</span><br>
<span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Openid-specs-ab
mailing list</span><br>
<span><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br>
</div>
</blockquote>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
====================<br>
Ryo Ito<br>
Email : <a href="mailto:ritou.06@gmail.com" target="_blank">ritou.06@gmail.com</a><br>
====================<br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
--Breno<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
--Breno<br>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>--Breno<br><br>
</div>