login page w/ Social IDP options
liamr at umich.edu
Thu Sep 22 16:49:10 BST 2011
I need some guidance.
I was talking to my boss, and he expressed a desire to update our login
page w/ options to log in using shib, or a number of social networks. He
wants to preserve as much of the existing flow as possible. (In a past
message where I'd talked about something similar, Scott had responded that
trying to "maintain the illusion" was a bad idea, and probably cause
problems in the long run).
Our IdP is protected by our SSO. If you are not currently authenticated
w/ our SSO, you're asked to authenticate. So.. if you log in to shib,
you're logged into cosign as well. If you're logged into Cosign, and hit
a shib resource, you are shown uApprove and then sent on to your site.
Ideally, campus SPs shouldn't have to change their sites / applications.
Ideally, this would be centrally provided, so it's something that would
"just be available" to people who'd already deployed Shib.
Currently, most sites are using the SSO for authentication, meaning the
only authentication screen is the central one provided by the SSO.
We could add the social login options there.. but if we did, we'd need to
extend the SSO such that it could accept authentication from those
sources (which would be a problem in itself).
We were trying to figure out if the SSO could maybe identify requests from
Shib (via referrer?) and only display those extended options to Shib auth
requests. I don't think that would work, because by the time people are
directed to our login screen, it's because the SP has already generated an
authentication request for *our* IdP. We can't just take that and send it
on someplace else. It seems that the only situation where that sort of
thing might work is when the request is routed through a DS or WAYF.
I'm not sure how feasible it is to turn the login page for our SSO into a
DS (and still allow it to be used as the authenticator).. and even if it
/is/ possible, I'm not sure that it's a good idea. It seems like an
intersitial page would be required - it could be attractive and well
camoflauged, but it'd still need to be there.
I'm looking for comments / suggestions / ideas (someone willing to have an
extended discussions would be most appreciated).
More information about the users