[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: OSSML web-user interactions
Considering just the vanilla end-user-with-web-browser case, I think there may be a little debate to be had about what interaction scenarios must/should/may be supported. I think we agree that in the common/minimal case there are three players: the user (with browser), the target resource site (relying party RP), and the "login" site (asserting party, AP). The question is, what sorts of interactions are to be supported between the user and the RP and AP. One approach I might call go-to-AP-first. The user, at first interaction with the "ecosystem" in Jamcracker terms, interacts with the AP to provide it with assurance of the user's identity (ie, "authenticates"). The user then indicates to the AP which target site (RP) the user wants to access. The AP constructs the right security stuff to be supplied to the RP, sends it to user along with redirection to RP site. RP consumes security stuff and makes access decision (possibly with additional interaction with AP). Another is go-to-RP-first. The user directs the browser to the RP, which notes lack of needed security stuff and provides the user the ability to navigate to the user's AP, while supplying info about the RP. The user authenticates to AP, the AP uses RP info to construct right security stuff for that RP, gives it to user and redirects the user to RP as above. The scenarios we developed for the Shibboleth project were based on the go-to-RP-first approach. There are several reasons for this, most of them design-related as I mentioned in a previous note. But I suggest, just considering user experience, that go-to-RP-first is at least *desirable* to support since it's a natural way for people to use their browsers. If go-to-RP-first isn't supported, and the user experience is, when they do go to the RP first anyway, that the system tells them they can't do what they want and can't help them get to the right place, I think this is clearly an inferior user experience. Similarly, if the only way to get to a RP is to provide its URL to the AP, this strikes me as unnatural. It may be that go-to-RP-first is too hard to do in the general case so we have to live without it, but we should be aware of the tradeoffs. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC