Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

This page describes a real-world use case of a website that supports (or soon will) three identity protocols. What is written here is one of many possible use-cases (interactions) that Alice could have with this site.

Edit History

  • PaulT: 10/16/09: Changed preconditions so that Alice is pre-configured with Ohio State IdP and Equifax --now we need to update the mockups to align

Preconditions

Alice:

  • Wants to sign-in to the NIH site
  • Has never been to this NIH site before
  • Alice already has a multi-protocol browser add-on (aka selector, smart client, etc.)
  • Has configured her add-on with:
    • OpenID: Yahoo, AOL, Google, Facebook
    • SAML: Ohio State
    • Infocard: Equifax Identity Card, PayPal
  • Is not logged in to any of her OpenIDs or SAML IdPs at the moment
  • Has not defined a "default" OpenID, SAML or InfoCard

NIH Site:

  • Is a SAML, OpenID, and IMI/InfoCard compatible RP
  • Trusts these OpenIDs:
    • Yahoo, AOL, Google
  • Trusts these SAML IdPs:
    • InCommon Federation (of which Ohio State is a member)
  • Trusts these Infocards:
    • Equifax, Citigroup, Wave Systems, Acxiom

Flow

  1. The user clicks on a "sign in" button on the NIH site
    1. The addon reads some data that tells it stuff like:
    2. That the site is an RP for OpenID, IMI and SAML protocols (unusually it does not support username/password!)
    3. The list of attributes that the site wishes to receive and for each attribute the list of authorities that the RP trusts. In our case the site is going to request only a non-correlateable identifier (aka an IMI "PPID", aka an OpenID "directed" identity) and that it trusts only Yahoo, AOL, Google, as well as Facebook, Equifax, Citigroup, Silicon Wave, Acxiom to issue this attribute
  2. The add-on displays a login window.
    1. It prominently shows the following accounts that could be used immediately (because Alice has these accounts and the NIH site accepts these accounts):
      1. Google
      2. Ohio State
      3. Yahoo
      4. Equifax
      5. AOL
      6. PayPal
    2. Its also shows accounts that Alice could use if she first registered with these IdPs
      1. Acxiom
      2. Wave Systems
      3. Citigroup
  3. Alice clicks on Google
  4. Alice authenticates to Google
  5. Alice agrees to share Google attributes with NIH

Mockups

Step #1: Alice clicks a Sign-in button (not shown)

Step #2: The add-on displays this "account selector" window:

Notes:

  • Alice's Facebook and Janrain OpenIDs are not shown in the "account selector" because the RP site doesn't include Facebook in its white list
  • The "Favorites" section lists accounts that are common to (a) Alice's list of configured OpenIDs and (b) the RP's white list
  • The "Other options" section lists accounts that Alice does not have but that are in the RP's white list
  • The three dots imply that there are 2 more pages of "other options"

Questions:

  1. Not sure what the purple with the lower case white i represents. It looks like an infocard, but the brand/issuer isn't displayed
  2. We should change Silicon Wave to Wave Systems

Step #3: Alice clicks on Google.

The add-on now displays (hmm...since the add-on knows that Alice already has a Google account, it probably shouldn't show the "Don't have a Google Account?" text):

Step #4: Alice authenticates to Google

Alice types in here username & password and clicks "Sign in" (not shown)

Step #5: Alice agrees to share Google attributes with NIH

V2 Mockups

Step #2 (version 2)

Step #3 (version 2):

Step #5 (version 2):

  • No labels