<div>I think I've figured out the flow. It's seamless from the point of view of the user. It will require explicit support from the Idenity Provider (on top of AX), and the client website will need to have an AX update receiver that supports this as well. No special support is needed in the web browser.</div>
<div> </div>
<div>Turn on auto-logon on each site</div>
<div> </div>
<div>1. Log into the relying party normally</div>
<div>2. Site begins OpenID authentication, sends AX request asking for the IsLoggedIn variable, and requests updates when the value changes.</div>
<div>3. User selects whether or not they want this to occur (automatically notify the site upon login)</div>
<div>4. From the user's point-of-view, login now occurs automatically at that site.</div>
<div> </div>
<div>Federated login</div>
<div> </div>
<div>1. User logs in to OpenID Provider</div>
<div>2. IsLoggedIn variable is updated with a pseudo-random value</div>
<div>3. All sites subscribing to the IsLoggedIn variable are updated using AX.</div>
<div>4. OpenID Provider displays a page loaded with hidden iframes pointing to the same site URLs used for listening for AX updates. The IsLoggedIn variable is included as an argument.</div>
<div>5. Each site's iframe performs regular OpenID authentication using the identity info already cached by the AX update receiver.</div>
<div>6. As browser loads each iframe, it receives a standard login cookie from each site.</div>
<div>7. User can connect to each site and will be automatically logged in.</div>
<div> </div>
<div>Federated logout</div>
<div> </div>
<div>1. User logs out of OpenID Provider</div>
<div>2. IsLoggedIn variable is updated with a value of "false"</div>
<div>3. All sites subscribing to the IsLoggedIn variable are updated using AX.</div>
<div>4. Each receiving site expires the user session.</div>
<div> </div>
<div>Does this sound feasible?</div>
<div> </div>
<div> </div>
<div><span class="gmail_quote">On 2/18/08, <b class="gmail_sendername">John Ehn</b> <<a href="mailto:john@extremeswank.com">john@extremeswank.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>This can be pretty easily done by piggy-backing on the Attribute Exchange extension. Have your OpenID Provider store a "IsLoggedIn" variable. When the value is updated, the OpenID Provider can update all the websites subscribing to the value.</div>
<div> </div>
<div>The tricky part is having the web browser be automatically identifiable from all of these supported sites. My first thought would be:</div>
<div> </div>
<div>* Store and send out the value in of the IsLoggedIn variable to all the websites</div>
<div>* Give the browser multiple session cookies that are visible from each of the websites that the values was sent to, which contains a hash of the value plus the website URL.</div>
<div>* When the website sees the cookie, it can take the cookie, generate and compare the hash. If the hashes match, automatically do an OpenID login</div>
<div>* When the user logs out at the OpenID Provider, AX will update all subscribing websites, thereby logging the user out of all sites</div>
<div> </div>
<div>Although, I believe most web browsers won't let you store cookies that are visible from multiple sites. Perhaps someone more familiar with these mechanics and chip in? Maybe somehow detect the web browser's "signature" without involving any functionality in the browser itself?</div>
<div> </div>
<div>Thanks,</div><span class="sg">
<div> </div>
<div>John Ehn</div>
<div><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://extremeswank.com/" target="_blank">extremeswank.com</a><br> </div></span>
<div><span class="e" id="q_1182d6bbb4ddc241_2">
<div><span class="gmail_quote">On 2/18/08, <b class="gmail_sendername">Martin Paljak</b> <<a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:martin@paljak.pri.ee" target="_blank">martin@paljak.pri.ee</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"><br>On Feb 18, 2008, at 5:11 PM, McGovern, James F (HTSC, IT) wrote:<br>> Likewise, I would think that for automatic signon, it would be a good<br>
> thing if the OpenID provider could tell the relying party how long to<br>> leave an otherwise idle session open before timing it out. Not sure if<br>> this would require an extension or not.<br><br>expires_in from <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://openid.net/specs/openid-authentication-2_0.html#anchor20" target="_blank">http://openid.net/specs/openid-authentication-2_0.html#anchor20</a><br>
should do exactly this.<br><br>m.<br>--<br>Martin Paljak<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://martin.paljak.pri.ee/" target="_blank">http://martin.paljak.pri.ee</a><br>+3725156495<br><br>
<br>_______________________________________________<br>specs mailing list<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="mailto:specs@openid.net" target="_blank">specs@openid.net</a><br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://openid.net/mailman/listinfo/specs" target="_blank">http://openid.net/mailman/listinfo/specs</a><br>
</blockquote></div><br></span></div></blockquote></div><br>