Scenario: NIH Login with SAML, OpenID and I-Card (Pending)
Submitted by: Paul Trevithick
This scenario is an example of a website that would like to support three identity protocols: SAML, OpenID and I-Card. The site has no interest in maintaining local (e.g. username/password) accounts and wishes to rely exclusively on external identity providers (IdPs).
This particular site has a large number (e.g. more than 50) of IdPs that it trusts (i.e. from which it is willing to accept an identity assertion).
(NOTE: Our references to the NIH website is hypothetical.)
Use Case: Unmodified Browser, First Visit
We describe here one of many possible use-cases (interactions) that Alice could have with this site.
Preconditions
Alice:
- Wants to sign-in to the NIH site
- Has never been to this NIH site before
- Has an unmodified browser
- Is not logged in to any of her OpenIDs or SAML IdPs at the moment
NIH Site:
- Is a SAML, OpenID, and IMI/InfoCard compatible RP
- Trusts these OpenIDs:
- Yahoo, AOL, Google
- Trusts these SAML IdPs:
- InCommon Federation (of which Ohio State is a member)
- Trusts these Infocards:
- Equifax, Citigroup, Wave Systems, Acxiom
Use Case: Browser Add-on, First Visit
Preconditions
Alice:
- Wants to sign-in to the NIH site
- Has never been to this NIH site before
- Already has a multi-protocol browser add-on (aka selector, smart client, etc.)
- Has configured her add-on with:
- OpenID: Yahoo, AOL, Google, Facebook
- SAML: Ohio State
- Infocard: Equifax Identity Card, PayPal
- Is not logged in to any of her OpenIDs or SAML IdPs at the moment
- Has not defined a "default" OpenID, SAML or InfoCard
NIH Site:
- Is a SAML, OpenID, and IMI/InfoCard compatible RP
- Trusts these OpenIDs:
- Yahoo, AOL, Google
- Trusts these SAML IdPs:
- InCommon Federation (of which Ohio State is a member)
- Trusts these Infocards:
- Equifax, Citigroup, Wave Systems, Acxiom