Scenario: NIH Login with SAML, OpenID and I-Card (Pending)

Submitted by: Paul Trevithick

This scenario is an example of a website that would like to support three identity protocols: SAML, OpenID and I-Card. The site has no interest in maintaining local (e.g. username/password) accounts and wishes to rely exclusively on external identity providers (IdPs).

This particular site has a large number (e.g. more than 50) of IdPs that it trusts (i.e. from which it is willing to accept an identity assertion).

We describe below two of many possible use-cases (interactions) that Alice could have with this site.

(NOTE: Our references to the NIH website is hypothetical.)

Use Case: Unmodified Browser, First Visit

Preconditions

Alice:

• Wants to sign-in to the NIH site
• Has never been to this NIH site before
• Has an unmodified browser
• Is not logged in to any of her OpenIDs or SAML IdPs at the moment

NIH Site:

• Is a SAML, OpenID, and IMI/InfoCard compatible RP
• Trusts these OpenIDs:
  • Yahoo, AOL, Google
• Trusts these SAML IdPs:
  • InCommon Federation (of which Ohio State is a member)
• Trusts these Infocards:
  • Equifax, Citigroup, Wave Systems, Acxiom

Use Case: Browser Add-on, First Visit

Preconditions

Alice:

• Wants to sign-in to the NIH site
• Has never been to this NIH site before
• Already has a multi-protocol browser add-on (aka selector, smart client, etc.)
• Has configured her add-on with:
  • OpenID: Yahoo, AOL, Google, Facebook
  • SAML: Ohio State
  • Infocard: Equifax Identity Card, PayPal
• Is not logged in to any of her OpenIDs or SAML IdPs at the moment
• Has not defined a "default" OpenID, SAML or InfoCard

NIH Site:

• Is a SAML, OpenID, and IMI/InfoCard compatible RP
• Trusts these OpenIDs:
  • Yahoo, AOL, Google
• Trusts these SAML IdPs:
  • InCommon Federation (of which Ohio State is a member)
• Trusts these Infocards:
  • Equifax, Citigroup, Wave Systems, Acxiom