On Tue, 12 May 2009, Luke Shepard wrote:
Agreed. If all you want is a group, then I’d think that the response would just not include an identifier. You could use an extension, perhaps AX, to request information about the group a user belongs to. For example, if you wanted to understand company membership, you could request and return only http://axschema.org/company/name.
FWIW, this is consistent with years of practice in many technical domains, including Kerberos and SAML.
- RL "Bob"
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs