<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 11/22/16 4:36 PM, Hardt, Dick wrote:<br>
</div>
<blockquote
cite="mid:0D726C0C-C596-4285-9F40-B73BB2AA677F@amazon.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Courier;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">So the AOL
access is a Facebook login, correct?</span></p>
</div>
</blockquote>
Yes, AOL is allowing access... to say... leave a comment... as long
as the user can authenticate via Facebook (OAuth2).<br>
<blockquote
cite="mid:0D726C0C-C596-4285-9F40-B73BB2AA677F@amazon.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">Per your
enterprise example below, yes, we should look at events that
lead to the generation of new events. (propagation of events
implies that Google is sharing a Slack event, which is NOT
what we are saying)</span></p>
</div>
</blockquote>
Actually I was thinking that Slack would register with Google (via
the OIDC relationship) and Google would register with ACME Idp via
the delegated SAML flow (we haven't really talked about this).<br>
<br>
So, if something happens at ACME IdP, it would generate an event to
Google. Google would evaluate that event and if necessary generate
an event to Slack.<br>
<blockquote
cite="mid:0D726C0C-C596-4285-9F40-B73BB2AA677F@amazon.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">I expect that
with the deployment of RISC and other, advanced
authentication features, that more enterprises would look to
leverage Google to do their authentication.</span></p>
</div>
</blockquote>
I think this could be true for small businesses but I don't see it
happening for larger enterprises and they will continue to use an
internal AD. Many enterprises use AD for more than just web
authentication.<br>
<blockquote
cite="mid:0D726C0C-C596-4285-9F40-B73BB2AA677F@amazon.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri">/Dick<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:Calibri"><o:p> </o:p></span></p>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span
style="font-size:11.0pt;font-family:Consolas;color:black">On
11/22/16, 1:30 PM, someone claiming to be "George
Fletcher" <<a moz-do-not-send="true"
href="mailto:gffletch@aol.com">gffletch@aol.com</a>>
wrote:<o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:.5in"><span
style="font-family:Helvetica">So I would answer that
question as...<br>
<br>
The user who owns the *@gmail.com account does have an
account at AOL but they do so via Facebook. AOL would have
the standard OAuth2 direct relationship with Facebook based
on the Facebook user id (I'm assuming that's how that
relationship would be established).<br>
<br>
In the consumer case, it's possible to just rely on the
direct relationships and trust that any implicit ones will
propagate through the direct one in a timely manner.<br>
<br>
So back to my example. If something happens at Google to
*@gmail.com, then Facebook would get notified and if that
triggers something at Facebook, AOL would get notified via
the Facebook path. I do think it helps in this use case that
Facebook is effectively acting as an IdP for the user
(Facebook does an authentication).<br>
<br>
The Enterprise example is a little more complicated because
in that case there is only one entity that is authenticating
the user because Google is delegating authentication to the
enterprise IdP. Take an example where ACME Corp uses Google
Apps but does it's own authentication, and an ACME Corp
employee uses Google to log into Slack. Slack as an RP has a
direct relationship with Google. Google has a direct
relationship with ACME IdP. Should we again rely on
propagation of events through the direct relationship paths?<br>
<br>
Thanks,<br>
George</span><o:p></o:p></p>
<div>
<p class="MsoNormal" style="margin-left:.5in">On 11/22/16 4:15
PM, Hardt, Dick wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<pre style="margin-left:.5in">George: does the *@gmail.com user have an account at AOL? Let’s assume that is the use case you are talking about. It is not clear how Facebook and AOL are going to learn they share a user. In the F2F we talked about direct relationships would proxy in same way for indirect relationships. Ie. AOL would share data with Google, and Facebook would share data with Google. If there is an event at Facebook that is shared with Google, then that may create an event at Google that would be shared with Facebook.<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">/Dick<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in">On 11/22/16, 9:50 AM, someone claiming to be "Openid-specs-risc on behalf of George Fletcher" <a moz-do-not-send="true" href="mailto:openid-specs-risc-bounces@lists.openid.netonbehalfofgffletch@aol.com"><openid-specs-risc-bounces@lists.openid.net on behalf of gffletch@aol.com></a> wrote:<o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
<pre style="margin-left:.5in"> Hi,<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in"> Given that at AOL we are a relying party to Google, Facebook, Yahoo, <o:p></o:p></pre>
<pre style="margin-left:.5in"> Twitter, LinkedIn, etc. ... when a user logs in via Facebook with an <o:p></o:p></pre>
<pre style="margin-left:.5in"> email address of *@gmail.com, should AOL subscribe at both Facebook and <o:p></o:p></pre>
<pre style="margin-left:.5in"> Google? or just Facebook?<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in"> This is similar to the enterprise case we talked about in the F2F. In <o:p></o:p></pre>
<pre style="margin-left:.5in"> that case it was someone logging in via Google with an identity that is <o:p></o:p></pre>
<pre style="margin-left:.5in"> not authenticated by Google but rather by the owning enterprise domain.<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in"> Thoughts?<o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in"> Thanks,<o:p></o:p></pre>
<pre style="margin-left:.5in"> George<o:p></o:p></pre>
<pre style="margin-left:.5in"> _______________________________________________<o:p></o:p></pre>
<pre style="margin-left:.5in"> Openid-specs-risc mailing list<o:p></o:p></pre>
<pre style="margin-left:.5in"> <a moz-do-not-send="true" href="mailto:Openid-specs-risc@lists.openid.net">Openid-specs-risc@lists.openid.net</a><o:p></o:p></pre>
<pre style="margin-left:.5in"> <a moz-do-not-send="true" href="http://lists.openid.net/mailman/listinfo/openid-specs-risc">http://lists.openid.net/mailman/listinfo/openid-specs-risc</a><o:p></o:p></pre>
<pre style="margin-left:.5in"> <o:p></o:p></pre>
<pre style="margin-left:.5in"><o:p> </o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-left:.5in"><br>
<br>
<o:p></o:p></p>
</div>
</blockquote>
<br>
</body>
</html>