You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 3
Next »
Operational
- This is a pilot -- use at your risk initially ....
- What is the SLA for the GW -- 5 X 8 coverage (business hours)
- provided identity is low assurance,
- do NOT require that browser user login from IDP contained in the invite email
- should be a single discovery service per RP - shouldn't have to select "social gateway" from the local DS, then at the social gateway, select yet another social IDP
- each RP needs to decide whether to support the self-registration use case
- separate out the account linking problem, out of scope for this discussion. Perhaps it is a separate service.
Mode 1 -- SP uses Embedded Discovery Service
- This mode can be used with both the invitation model and the self-registration at the SP model
- Browser user must be able to transparently traverse the GW
- Browser user selects social identity provider within the EDS; SP tells GW which social identity provider to "relay" to ...
Mode 2 -- SP Uses central Invitation Service
- Is anyone actually interested in this model ?
- Issuing the invitation (via email) and remembering which permissions it is associated with seems like an SP issue
- preserve any URI that's passed to an invitation service
Mode 3 -- SP relies on Central DS which Includes Social Options
- SP passes the GW a filter specifying acceptable IDPs (both SAML and social ? ) SP provides json feed ?
- User is presented with a DS, selects IDP, "normal" flow.
- SP can pass a token to the GW (indicating session at SP?); GW must return it
- GW MUST forward to the SP the original payload from IDP in an unmolested way (I believe this refers to the Assertion coming from the social IDP, in its native format)
- the GW should map and then forward individual attributes ....
- we need to define syntax, semantics for Assertions produced by GW