IIW - User contributions [en]

OpenID Session Management Best Practices

2011-12-09T08:13:25Z

IntelpNeelok1:

Results are on the OpenID wiki at: http://wiki.openid.net/Session-Management

'''Convener:''' Mike Jones, Oren Melzer; Ariel Gordon

'''Notes-taker:''' Ariel Gordon

'''Tags:'''

OpenID; Active Client; Selector; User Experience; Security; Information Card; Card Selector; Windows CardSpace

'''Discussion notes:'''

This is a presentation of an experimental selector for OpenID. The goal is to evolve OpenID together to address known issues:
* To improve both its usability and security
* While providing a [http://www.capsiplexreview.info/ capsiplex] smooth migration path
* This prototype is meant to stimulate discussion about possible futures for OpenID and is intended as starting point – not the destination.

The selector is meant to be optional—a “better together” value proposition in the sense that it will provide a better and safer experience when present, while not preventing users to access their favorite sites from any computer.

What does it do? First of all, it remembers your identities for you and shows “last used” information. If I’m using Google or Yahoo, chances are that there will be buttons for those on the RP’s “NASCAR”, but if I’m using a niche identity provider, I’m never going to see a logo for it. The second thing it does is that it contacts the Identity Provider for me. This effectively helps protect users against being sent to a phishing site by a rogue RP.

How does it work? The Relying Party includes some code in its sign in page (for the prototype, we’ve reused the Information Card Object Tag syntax and added some parameters in there.) When visiting an RP that’s been enhanced to support a selector, and if I use a computer that’s equipped, the selector will pop up to manage discovery and build the initial authentication request for the OP.

The prototype postulated a white list of “known trustworthy” OPs. No user trust decision in UX when interacting with white-listed OPs (e.g. Yahoo, Google, MyOpenID) versus explicit user trust decision when interacting with unknown OPs. This is one basis for phishing [http://proactolpluspills.com/ proactol plus] protection (another is the selector remembering my OpenIDs!)

Mike presented a couple of slides with some of the issues that came up as a result of building the prototype selector. For example:
* Allowing OPs to advertise their friendly name and logo
* Managing OP-specific parameters such as association handles
* Use of unsolicited [http://weightlossproductreviews.info/ slimming reviews] assertions
* How should selector decide that two identities are equivalent?
* Compare post-discovery endpoints?
* How should the selector be triggered? Right now using Object Tag.
* Should look at HTML 5 work on universal login tags

Many issues arose when we were building the prototype. For example:
* Allowing OPs to advertise their friendly name and logo
* Use of [http://buyphentermine.herbalweightlossaid.com/ Phen375] unsolicited assertions
* How should selector decide that two identities are equivalent? Compare post-discovery endpoints?

There are also many things that the experimental selector doesn’t do. For example, we’d like the selector to [http://www.hoodiapill.info/ unique hoodia] eventually allow OPs to interact with users over a dedicated html surface, as opposed to redirecting the full browser window (which it does today).

We are looking for the community to work together on these problems here at IIW.
We are setting up two follow up work [http://www.herbalweightlossaid.com/ slimming pills] sessions, on Wednesday at Thursday.
-> add link to notes from forthcoming sessions

'''Notes-taker:''' Greg Horton

'''Tags:'''

A OpenID Selector client – demonstration of Microsoft example

'''Discussion notes:'''

Mike gave a short presentation with an overview of the criteria they were building against and then a demonstration of the prototype OpenID selector client built by Microsoft.

He showed what happens with the selector using Plaxo.com as an example. Started with the situation where the user already had an OpenID but it has not yet been used on that site. The selector includes notice that the Yahoo OpenID provider is “verified” and should be trusted. (they are assuming the existence of a white [http://www.phen375reviewed.info/ phen375 fat burner] list or black list) Logged in using a Yahoo! OpenID. The second time you login on that site the selector tells the user the last date/time they logged in to this site using the Yahoo! OpenID.
 The relying party does not know what the selector is doing.

The next demo was Pibb.rpxnow.com – using Janrain’s component – however selecting any button in the selector invokes the selector. Logged in using a Google OpenID.

Another demo: Interscope.com (Janrain customer) – as more sites are visited the selector remembers all the OpenId used in the past. On this site it shows that the Google OpenID was last used on the [http://www.clearskinmaxreview.info/ clear skin max] Pibb site and the date and time. This time logging in using a vanity URL OpenID. This provider was “Not Verified” and the user needs to check an extra box “Continue, I trust this provider”. Cannot login using that ID unless the box is checked.

Mike then presented a slide some issues that came up as a result of building the selector:

Would like a spec for OPs to [http://www.hghadvancedreview.info/ HGH Advanced] advertise their friendly name and logo – discussing with OpenID
# OP-specific parameters such as association handles (and more)
# Unsolicited positive [http://www.performer5pills.info/ performer 5] assertions
# Determining identity equivalence
# Compare post-discovery endpoints?
# Use of iFrames and knows who the RP really is

ISSUE: use of iFrames creates the possibility that this method looks like a cross site scripting attack.

Question: Could this support information cards? Answer: It already does.

FUTURES slide – get from Mike Jones
Lots of additional ideas for improvement – some regarding security, others regarding technology.

Question: Any consideration of working with HTML 5 to include needed tags to make this easier? Good idea – willing to explore. Looking for contacts in HTML 5 group.

More sessions to follow to think about how to make this work more smoothly – what else should be done?

'''Notes-taker:''' Breno de Medeiros

'''Tags:''' Session Management Best Practices for OpenID

'''Discussion notes:'''

* How to switch users at the RP? Need to remember to switch at the OP.
* Signed in to OP only to use RP. Signed-off RP, forget to sign-off at the OP.
* Single sign-off from everything by [http://weightlossproductreviews.info/?page_id=268 slim weight patch] default may be too aggressive or not fit the desired user experience.
* Client-side indicator of login status (identity selector)
* RP initiated/OP initiated?
* Single sign-off has high [http://www.teethwhitenerguide.com/ teeth whitener reviews] complexity.
* PAPE support for approval prompt (as opposed to password entry)?

We typically focus all of our attention on around signing in, but ignore what happens after that. In this session, we discussed user expectations and confusion and ways of remedying session expiration, session revalidation, partial or single log-out etc.

SAML and OAuth

2011-12-09T08:06:46Z

IntelpNeelok1:

'''SAML & OAuth V2'''
Nov 19/09 - IIW
Paul Madsen

'''Goals'''
* Explore (useful) combinations of SAML & Oauth
* Builds on 2008 proposal from Ping ID for combining SAML SSO & Oauth authz sequence
* Learn from OpenD Oauth Hybrid extension

'''SAML & OAuth'''
* OAuth does not stipulate how the user authenticates to either the SP or Consumer
* SAML SSO can provide the authentication
* If so, question is whether/how the SAML messages by which SSO happens can facilitate the fundamental Oauth sequence of
# Obtaining User authorization (consent) of a request token
# Getting the authorized request token from the SP to Consumer

''OpenID community calls this scenario 'hybrid', SAML/Liberty a
'boostrap'''

'''Oauth Request params'''
* The OpenID Oauth hybrid model does away with the initial server-to-server call by which the Oauth Consumer gets an unauthorized request token
* Consequently, instead of carrying an unauthorized request token and asking for its approval, the OpenID request carries an implicit 'return an approved request token' request
* Request includes Consumer_Key, maybe not Consumer_Secret, callback_url....

'''SAML extensibility'''
• SAML provides flexible extensibility model by which protcol messages (e.g the <AuthnRequest> and <Response>) can be extended with XML elements from other namespaces
• SAML defines some core [http://weightlossproductreviews.info/ slimming reviews] attributes but new ones can be spun up as necessary
• Depending on SAML/OAuth roles played by actors, we'll need one or both of extension points

'''#1 SAML Idp == Oauth SP'''
* In the simplest case, the SAML IdP == Oauth SP & SAML SP == Oauth Consumer
* As in the OpenID Oauth Hybrid extension
* Challenge is to get the User & Oauth request params from Oauth Con to the [http://buyphentermine.herbalweightlossaid.com/ Phen375] Oauth SP, and get the authz request token back
** Use SAML AuthnRequest to carry the Oauth request params from Oauth Con to Oauth SP
** Use SAML <Response> and <Attribute> within to carry the authz request token back

'''#1 Extension Needs'''
* Define Oauth extension to SAML AuthnRequest to carry [http://weightlossproductreviews.info/?page_id=268 slim weight patch] Oauth params from SAML SP(OAuth Con) to SAML IdP(OAuth SP)
* Define SAML Attribute to carry the approved [http://www.herbalweightlossaid.com/ slimming pills] request token from SAML IDP(OAuth SP) to SAML SP(OAuth Con)

2) SAML Idp == Oauth Con
* And SAML SP == Oauth SP
* Implies separation of roles between authentication and attribute storage/sharing
* User authenticates at SAML IdP, but must give [http://www.hghadvancedreview.info/ HGH Advanced] consent/authorizations at Oauth SP
* Challenge is get Oauth request params from SAML IdP
to SAML SP/OAuth SP in order to obtain Oauth consent (and eventually get an authorized request token returned )
** Use unsolicited SAML <Response> and <Attribute> within to carry Oauth request params
** Rely on [http://www.hoodiapill.info/ unique hoodia] Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

'''#2 Extension Needs'''
* Define SAML Attribute to carry Oauth request [http://proactolpluspills.com/ proactol plus] params from SAML IDP (Oauth Con) to SAML SP (Oauth SP)

'''3) SAML SP1==OAuth SP& SAML SP2==OAuth Con'''
* Most general [http://www.performer5pills.info/ performer 5] case, SAML IdP not involved in attribute sharing
* User authenticates at SAML IdP, SSOs to two [http://www.teethwhitenerguide.com/ teeth whitener reviews] distinct SAML SPs (an Oauth SP & an Oauth Consumer respectively)
* Challenge is to get the User & Oauth request params from the first SAML SP to the second in order to obtain [http://www.clearskinmaxreview.info/ clear skin max] consent, and the authorized request token back
** Use SAML 3rd party requestor [http://www.capsiplexreview.info/ capsiplex] extension to get Oauth request parsms from Oauth Consumer to Oauth SP
** Rely on Oauth msg to get the authz request token from Oauth SP to OAuth Consumer

#3 Extension Needs
* Leverage the SAML 3rd party Requestor [http://www.phen375reviewed.info/ phen375 fat burner] extension to indicate IDP should send SAML response to Oauth SP2
* Define Oauth extension to SAML AuthnRequest to carry Oauth request params from SAML SP1 to SAML IdP
* Define SAML Attribute to carry Oauth request params in a Response from SAML
IDP to SAML SP2