Re: [liberty-dev] Liberty Alliance Question

From “Conor P. Cahill” <>
Date Tue, 2 Sep 2003 13:39:32 -0400
In-reply-to < >
Organization AOL, Inc.
References < >
Sender wrote on 9/2/2003, 1:06 PM:

After reading the Liberty Alliance Specification I have a question about the example in the ID-FF Overview document.
How can the service provider determine, when a principal visits his website, either to initiate a single sign – on and federation profile or to promt the principal to do a login on his local account, without any interaction from the principal.

This depends upon the environment.  For example, in an enterprise environment, the SP probably knows the one and only IdP available to all corporate employees and will likely always direct the authentication to that IdP (probably not even having a “local” authentication means).

In an internet e-commerce environment, it also depends upon the service currently being accessed at the SP.  For example, if this is the home page for the SP and they just want to provide you with some form of personalized information AND they are using some automatic means to identify your IdP (either a common domain cookie or a cookie in the SPs domain that the SP stored when you previously used a particular IdP), they will likely do a passive authentication request (IsPassive=true) to the IdP.

If the passive authentication request failed and you are somewhere where the SP really needs to know who you are (perhaps you have initiated a purchase), if they know they IdP (using any of the means spelled out above), they would resubmit the authentication request with IsPassive=false to get the IdP to authenticate you.

In the case where the SP does not know who your IdP is, they will likely present you with a screen that requests your local credentials, but also provides something to indicate that you can use your IdPs credential instead (e.g. a button that says “Use my AOL screen name” — wonder where that one came from :-)).

While this behavior is supported in the protocols, it is in no way required.  There are many other mechanisms that could be used by the SP to determine the IdP to use for authentication and the definition of these mechanisms is out-of-scope for the liberty specification (other than the introduction protocol).

Please note that these answers all deal with the issue of Single Sign on, not necessarily federation.  I would assume that Federation would only be attempted if the user somehow indicated that they wanted to federate (mostl likely in response to a prompt from the SP).


——————————————————————————– If you would like to unsubscribe from this list, please click on the URL below:

Partial thread listing:

Re: [liberty-dev] Liberty Alliance Question(continued)
 Conor P. Cahill (09/02/2003)
[liberty-dev] Difference between 1.0 and 1.1?(taesung)
[liberty-dev] Liberty Alliance Announces Whitepaper
(Liberty Alliance Admin)
Possible follow-ups
 Ray Barton (02/09/2003)
[liberty-dev] Suggestion(Reda Siblini)


Please enter your comment!
Please enter your name here