Hi Allen,
Thanks for the explanation.
I agree doing it before user authN makes sense, especially
as it leaves room to warn the user.
As for caching the verification, this is a feature we should look
into adding in our OpenSSO implementation.
Cheers
Hubert
On Jan 20, 2010, at 10:38 PM, Allen Tom wrote:
Hi Hubert -
RP Realm verification should be done by the OP before returning the
assertion to the RP. Depending on the OP's security policies, the OP
may
want to warn the user, or even block the request if the return_to
for the
realm can't be verified.
It might makes sense for the OP to verify the realm prior to
authenticating
the user, since it makes sense to detect the realm mismatch as early
in the
request lifecycle as possible. For instance - the OP could display a
warning
or error to the user before the user even logs in to the OP.
In Yahoo's case, we do the verification and cache the result so that
it can
be reused for multiple requests. As Andrew mentioned, we cache the
result
for an hour. We have seen some issues with data freshness when RPs
change
their return_to URLs.
Thanks
Allen
On 1/15/10 5:33 PM, "Andrew Arnott" <[email protected]> wrote:
Ya, you're free to do RP verification before or after authentication.
In fact some major OPs like Yahoo cache the results for 1 hour and
thus don't actually perform RP verification most times at all (if
it's
in their cache)
On Friday, January 15, 2010, Hubert Le Van Gong
<[email protected]> wrote:
Greetings,
Is it correct to say the spec (2.0) does not mandate a specific
momentin the
protocol at which the RP/realm validation should occur?For
instance, the OP
could first authenticate the user and thenperform RP verification
or it could
do that validation before authenticatingthe user. Although the
latter seems
more intuitive (and efficient) would bothbe compliant?
Cheers,Hubert
--Hubert A. Le Van GongIdentity ArchitectSun microsystems, Inc.
17 Rue DupreyGrenoble, 38000France
--------------------------------------------------email:
hubert.levang...@sun
.COMtel:+33 4 7663 0935blog: http://blog.levangong.com/
N 45 11.900'W 005 44.145'Elev. 736 ft.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
--
Hubert A. Le Van Gong
Identity Architect
Sun microsystems, Inc.
17 Rue Duprey
Grenoble, 38000
France
--------------------------------------------------
email: [email protected]
tel:+33 4 7663 0935
blog: http://blog.levangong.com/
N 45 11.900'
W 005 44.145'
Elev. 736 ft.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
