Re: Login Federation

During the session cookie request, we are notifying the RP of the isLoggedIn attribute. The RP will already have this value (along with the matching OpenID Identifier) because it was notified of the value when the isLoggedIn attribute was updated. The RP can then build a cookie that matches the U

Re: Login Federation

Thanks! 1st: How to input OpenID implicitly. 2nd: How to SLO from RP/OP(How to notify to RP or OP). For 1st, you issue site-specific session cookie and notify the value of *isLoggedin* attribute requested on the last? explicit login from RP and UA'll get the authenticated session cookie via IMG

Re: Login Federation

Sounds like fun. But I don't think I have the energy to go through a process like that to get a extension spec registered. If anyone wants to take the spec and run with it, they are welcome to. Thanks, John On 2/20/08, Nat Sakimura <[EMAIL PROTECTED]> wrote: > > Actually, there seems to be. >

Re: Login Federation

Actually, there seems to be. I was reading through the documents today and found about it. http://openid.net/ipr/OpenID_Process_Document_(Final_Clean_20071221).pdf Basically, 1. Contributors for the new spec Sign the Contribution Agreement and gather more than five proposed WG members. 2. Apply

Re: Login Federation

I've posted a Draft 0 version to the OpenID Wiki. Please feel free to comment and modify as needed. http://wiki.openid.net/Federation_Extension Thanks, John On 2/19/08, John Ehn <[EMAIL PROTECTED]> wrote: > > Brett, > > No formal process. All RFC through the mailing list. > > Thanks, > > John

Re: Login Federation

Brett, No formal process. All RFC through the mailing list. Thanks, John On 2/19/08, Brett Carter <[EMAIL PROTECTED]> wrote: > > John Ehn wrote: > > Sounds good. I'm working on a draft. Once it's in a readable state, > > I'll post it for comments. > > > > Thanks! > > Is there a formal proce

Re: Login Federation

John Ehn wrote: > Sounds good. I'm working on a draft. Once it's in a readable state, > I'll post it for comments. > > Thanks! Is there a formal process for submitting a proposal yet? Or are we just going with RFC format for now? -Brett ___ specs

Re: Login Federation

> As people have mentioned (although without using reply to all :-P), > using the tag would provide for an anti-phishing method by > allowing the user to specify the image that loads. Also, IMG tags are better supported in mobile browsers... Somebody tell Steve to add a 'reply to list' button

Re: Login Federation

expires_in only specifies the lifetime of an association handle. There's no parameter that indicates the lifetime of an authentication response. Allen Martin Paljak wrote: On Feb 18, 2008, at 5:11 PM, McGovern, James F (HTSC, IT) wrote: Likewise, I would think that for automatic signon, i

Re: Login Federation

> > On 2/19/08, *Brett Carter* <[EMAIL PROTECTED] > > wrote: > > This is close to what I was thinking, however why not simply pass > the user's open id url to the external site, through some yet > undefined parameter. This way, there's little chance for cache

Re: Login Federation

Sounds good. I'm working on a draft. Once it's in a readable state, I'll post it for comments. Thanks! On 2/19/08, Brett Carter <[EMAIL PROTECTED]> wrote: > > This is close to what I was thinking, however why not simply pass the > user's open id url to the external site, through some yet unde

Re: Login Federation

This is close to what I was thinking, however why not simply pass the user's open id url to the external site, through some yet undefined parameter. This way, there's little chance for cache poisoning. Passing the open id url, the consumer site can just proceed with authentication normall

Re: Login Federation

I think the img tag is the best solution. That way, the end user can know if they were logged into a site or not. If the image shows up, they logged in. Also, there's better support for mobile browsers, and a bit more defense against fishing type attacks (the end user could choose their

Re: Login Federation

Well, with some tweaking elsewhere. Hidden iframes are the smoothest way to do it. On 2/18/08, John Ehn <[EMAIL PROTECTED]> wrote: > > It was just an example. In theory, you could do it with an IMG or OBJECT > tag. > > On 2/18/08, SignpostMarv Martin <[EMAIL PROTECTED]> wrote: > > > > John Ehn w

Re: Login Federation

It was just an example. In theory, you could do it with an IMG or OBJECT tag. On 2/18/08, SignpostMarv Martin <[EMAIL PROTECTED]> wrote: > > John Ehn wrote: > > 5. Each site's iframe performs regular OpenID authentication using > > the identity info already cached by the AX update receiver. > > >

Re: Login Federation

John Ehn wrote: > 5. Each site's iframe performs regular OpenID authentication using > the identity info already cached by the AX update receiver. > Doable without iframes ? ___ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/spe

Re: Login Federation

I think I've figured out the flow. It's seamless from the point of view of the user. It will require explicit support from the Idenity Provider (on top of AX), and the client website will need to have an AX update receiver that supports this as well. No special support is needed in the web brows

Re: Login Federation

This can be pretty easily done by piggy-backing on the Attribute Exchange extension. Have your OpenID Provider store a "IsLoggedIn" variable. When the value is updated, the OpenID Provider can update all the websites subscribing to the value. The tricky part is having the web browser be automati

Re: Login Federation

On Feb 18, 2008, at 5:11 PM, McGovern, James F (HTSC, IT) wrote: > Likewise, I would think that for automatic signon, it would be a good > thing if the OpenID provider could tell the relying party how long to > leave an otherwise idle session open before timing it out. Not sure if > this would req

RE: Login Federation

- > > Message: 1 > Date: Thu, 14 Feb 2008 19:31:40 -0800 > From: Brett Carter <[EMAIL PROTECTED]> > Subject: Login Federation > To: specs@openid.net > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes

Re: Login Federation

In a single domain scenario, such as inside a corporation, one could issue a domain cookies having op_identifier or claimed_id and RP can start the authentication request based on this. It is not in the spec, but can easily be done. In a multi domain scenario such as the Internet, it is not tha

Login Federation

Wouldn't this take the user out of the middle? I would think this would be bad at some level. -- Message: 1 Date: Thu, 14 Feb 2008 19:31:40 -0800 From: Brett Carter <[EMAIL PROTECTED]> Subject: Login Federatio

Login Federation

I've dug around a bit, and haven't found anything, so I thought I'd ask here. Is any work being done on adding some sort of federated login for open id? By 'federated' I simply mean that signing into my open id provider, this automatically signs me into all my open id enabled sites (of my