Timing of Realm/RP validation

Hubert Le Van Gong Hubert.Levangong at Sun.COM
Wed Jan 20 22:49:22 UTC 2010 

Hi Allen,

Thanks for the explanation.
I agree doing it before user authN makes sense, especially
as it leaves room to warn the user.
As for caching the verification, this is a feature we should look
into adding in our OpenSSO implementation.


Cheers
Hubert

On Jan 20, 2010, at 10:38 PM, Allen Tom wrote:

> Hi Hubert -
>
> RP Realm verification should be done by the OP before returning the
> assertion to the RP. Depending on the OP's security policies, the OP  
> may
> want to warn the user, or even block the request if the return_to  
> for the
> realm can't be verified.
>
> It might makes sense for the OP to verify the realm prior to  
> authenticating
> the user, since it makes sense to detect the realm mismatch as early  
> in the
> request lifecycle as possible. For instance - the OP could display a  
> warning
> or error to the user before the user even logs in to the OP.
>
> In Yahoo's case, we do the verification and cache the result so that  
> it can
> be reused for multiple requests. As Andrew mentioned, we cache the  
> result
> for an hour. We have seen some issues with data freshness when RPs  
> change
> their return_to URLs.
>
> Thanks
> Allen
>
>
>
> On 1/15/10 5:33 PM, "Andrew Arnott" <andrewarnott at gmail.com> wrote:
>
>> Ya, you're free to do RP verification before or after authentication.
>> In fact some major OPs like Yahoo cache the results for 1 hour and
>> thus don't actually perform RP verification most times at all (if  
>> it's
>> in their cache)
>>
>> On Friday, January 15, 2010, Hubert Le Van Gong
>> <Hubert.Levangong at sun.com> wrote:
>>> Greetings,
>>> Is it correct to say the spec (2.0) does not mandate a specific  
>>> momentin the
>>> protocol at which the RP/realm validation should occur?For  
>>> instance, the OP
>>> could first authenticate the user and thenperform RP verification  
>>> or it could
>>> do that validation before authenticatingthe user. Although the  
>>> latter seems
>>> more intuitive (and efficient) would bothbe compliant?
>>> Cheers,Hubert
>>>
>>>
>>> --Hubert A. Le Van GongIdentity ArchitectSun microsystems, Inc.
>>>
>>> 17 Rue DupreyGrenoble, 38000France
>>> --------------------------------------------------email:  
>>> hubert.levangong at sun
>>> .COMtel:+33 4 7663 0935blog: http://blog.levangong.com/
>>> N 45  11.900'W 005  44.145'Elev. 736 ft.
>>>
>>>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

--
Hubert A. Le Van Gong
Identity Architect
Sun microsystems, Inc.


17 Rue Duprey
Grenoble, 38000
France

--------------------------------------------------
email: hubert.levangong at sun.COM
tel:+33 4 7663 0935
blog: http://blog.levangong.com/

N 45  11.900'
W 005  44.145'
Elev. 736 ft.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100120/c346ebe2/attachment.htm>

More information about the specs mailing list