/
NIH Scenario

NIH Scenario

Feb 09, 2010

Scenario: NIH Login with SAML, OpenID and I-Card (Pending)

Submitted by: Paul Trevithick

This scenario is an example of a website that would like to support three identity protocols: SAML, OpenID and I-Card. The site has no interest in maintaining local (e.g. username/password) accounts and wishes to rely exclusively on external identity providers (IdPs).

This particular site has a large number (e.g. more than 50) of IdPs that it trusts (i.e. from which it is willing to accept an identity assertion).

We describe below two of many possible use-cases (interactions) that Alice could have with this site.

(NOTE: Our references to the NIH website is hypothetical.)

Use Case: Unmodified Browser, First Visit

Preconditions

Alice:

  • Wants to sign-in to the NIH site

  • Has never been to this NIH site before

  • Has an unmodified browser

  • Is not logged in to any of her OpenIDs or SAML IdPs at the moment

NIH Site:

  • Is a SAML, OpenID, and IMI/InfoCard compatible RP

  • Trusts these OpenIDs:

    • Yahoo, AOL, Google

  • Trusts these SAML IdPs:

    • InCommon Federation (of which Ohio State is a member)

  • Trusts these Infocards:

    • Equifax, Citigroup, Wave Systems, Acxiom

Flow #1: Uses Google account

  1. Alice clicks on the login button (see Non-chrome Login Button)

  2. The popup window appears

  3. Alice clicks on Google

  4. The window (having been redirected) now displays the Google auth dialog box

  5. Alice authenticates to Google

  6. Alice agrees to share Google attributes with NIH

  7. Alice is now logged in to the NIH site

Flow #2: Same as #1 except using Ohio State account
Flow #3: Searches first, then logs in

  1. Alice clicks on the login button (see Non-chrome Login Button)

  2. Alice types in the search box for "Boston University" (a member of the InCommon Federation)

  3. ...the rest is like flow #2

Use Case: Browser Add-on, First Visit

Preconditions

Alice:

  • Wants to sign-in to the NIH site

  • Has never been to this NIH site before

  • Already has a multi-protocol browser add-on (aka selector, smart client, etc.)

  • Has configured her add-on with:

    • OpenID: Yahoo, AOL, Google, Facebook

    • SAML: Ohio State

    • Infocard: Equifax Identity Card, PayPal

  • Is not logged in to any of her OpenIDs or SAML IdPs at the moment

  • Has not defined a "default" OpenID, SAML or InfoCard

NIH Site:

  • Is a SAML, OpenID, and IMI/InfoCard compatible RP

  • Trusts these OpenIDs:

    • Yahoo, AOL, Google

  • Trusts these SAML IdPs:

    • InCommon Federation (of which Ohio State is a member)

  • Trusts these Infocards:

    • Equifax, Citigroup, Wave Systems, Acxiom