...
- Is a SAML, OpenID, and IMI/InfoCard compatible RP
- Trusts these OpenIDs:
- Yahoo, AOL, Google
- Trusts these SAML IdPs:
- InCommon Federation (of which Ohio State is a member)
- Trusts these Infocards:
- Equifax, Citigroup, Wave Systems, Acxiom
Flow
...
A
Flow A is one of the flows (see the end of this document for more flows):
- The user clicks on a "sign in" button on the NIH site
- The addon reads some data that tells it stuff like:
- That the site is an RP for OpenID, IMI and SAML protocols (unusually it does not support username/password!)
- The list of attributes that the site wishes to receive and for each attribute the list of authorities that the RP trusts. In our case the site is going to request only a non-correlateable identifier (aka an IMI "PPID", OpenID "directed" identity, SAML "persistent" NameID) and that it trusts only Yahoo, AOL, Google, as well as Facebook, Equifax, Citigroup, Silicon Wave, Acxiom, and InCommon IdPs to issue this attribute
- The add-on displays a login window.
- It prominently shows the following accounts that could be used immediately (because Alice has these accounts and the NIH site accepts these accounts):
- Ohio State
- Yahoo
- Equifax
- AOL
- Its also shows accounts that Alice could use if she first registered with these IdPs
- Acxiom
- Wave Systems
- Citigroup
- It prominently shows the following accounts that could be used immediately (because Alice has these accounts and the NIH site accepts these accounts):
- Alice clicks on Google
- Alice authenticates to Google
- Alice agrees to share Google attributes with NIH
...
Step #5: Alice agrees to share Google attributes with NIH
Flow Diagram
Subflow "Flow A " (described and mocked up above) is this path through the overall flowthe red path:
