[Go-essp-tech] Whitelisting of IDPs
Nathan Wilhelmi
wilhelmi at ucar.edu
Thu Feb 17 08:44:14 MST 2011
Hi,
In released versions of the gateway (1.2.0 and earlier) there are some
technical reasons for whitelisting which IDPs user's could use. Version
1.3 contains a significant OpenId overhaul which should remove the
technical needs for whitelisting IDPs. With version 1.3 if you come in
from an IDP and the required attributes are not sent via AX the user is
simply prompted for the needed attributes before continuing. So from the
user's perspective they should be able to come in from *pretty much* any
IDP. Internally we have been testing with myopenid.com successfully.
So we have a couple of options:
1) Remove whitelisting all together. We can still have a 'where are you
from' list of potential IDPs, this doesn't preclude BADC's suggestion.
We also have some ideas on how we can do a 'forgot my OpenId' to help
users figure out where they might be from.
2) Put whitelisting back in, although drive it from the registry service
rather than shipping XML files with releases.
3) Put a registry driven blacklist in place. If we find a few IDPs cause
problems we can blacklist those and let users freely use other ones.
Thoughts as to what direction to head?
Thanks!
-Nate
More information about the GO-ESSP-TECH
mailing list