Identity Selectors

IIW 2009b Identity Selector Discussion

INTERNET IDENTITY WORKSHOP
Issue/Topic: Active Selectors and similar topics
Session Number – Space/Location Letter _Room E___ - _11:30am___
Convener: Mike Jones
Notes-taker(s): Eric Sachs

A.Tags for the session - technology discussed/ideas considered:
OpenID, ActiveSelectors, Kantara, SAML, InformationCard, CardSpace

B.Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

First demo: Azigo's browser-extension for OpenID identity selector
- Button on browser toolbar to initiate the identity selector
- www.openidpad.com is sample RP site
- Metatag in RP's site causes the button to be shown in the toolbar
- Uses XRDS file for more information, exposes information about RP's needs similar to InfoCard practices
- Tells selector what AX information to ask for from the IDP
- Selector then sends user to the IDP with a request for that information, and then tells it to send an unsolicited positive assertion back to the RP
- All pages on his RP site include a metatag with a reference to the XRDS file. That allows the selector to activate the toolbar button on every page
- Demo has hardcoded list of possible IDPs, but could obviously be enhanced

Second demo: Adventure Works RP
- http://openidux.dotnetopenauth.net/
- Built with a Javascript client that RP points to with their Login button
- Login button and Visit Members Area button
- Login button shows Nascar UI
- He is okay with a few buttons and OpenID button for long-tail, and tells people to use Google to create a new account if they don't have an account with existing buttons or an OpenID
- All buttons use the popup
- The site remembers the last IDPs you visited, and put those buttons earlier
- The site also does background checkid_immediates to all IDPs who have a button and shows a green checkbox for the ones where the user is logged in
- If the user clicks the OpenID button, then it ajax shows a box below to capture the URL and it supports inames as well. After discovery is done, it ajax shows a login button that lets the user choose which of the multiple IDPs they may have delegated to.
- Provides RP account management options to add multiple OpenIDs assocated with same account

Demo: Google's CDS that does NOT use a browser-extension
- Slides at http://docs.google.com/present/view?skipauth=true&id=ajkhp5hpp3tt_67dvg24phj
- Described at https://sites.google.com/site/oauthgoog/UXFedLogin/central-discovery-service

Kantara slides of their UX initiative
- Described recent group they started to pull together to brainstorm on UX goals without considering the protocol
- Showed example of the challenge NIH has the with the large number of IDPs it trusts in multiple classes such as schools, consumer IDPs, etc.
- Gave example of providing a search box over those IDPs
- Group noted that IDPs want to control how authentication happens, probably should not be in the selector

Part 2: 1:30pm in room E
Dr. Enrie from Apple attempting to summarize goals
Notes at http://iiw.idcommons.net/Active_Client_iiw9#Client_Lifecycle