login page w/ Social IDP options

Liam Hoekenga liamr at umich.edu
Thu Sep 22 16:49:10 BST 2011

I need some guidance.

I was talking to my boss, and he expressed a desire to update our login 
page w/ options to log in using shib, or a number of social networks.  He 
wants to preserve as much of the existing flow as possible.  (In a past 
message where I'd talked about something similar, Scott had responded that 
trying to "maintain the illusion" was a bad idea, and probably cause 
problems in the long run).

Our IdP is protected by our SSO.  If you are not currently authenticated 
w/ our SSO, you're asked to authenticate.  So.. if you log in to shib, 
you're logged into cosign as well.  If you're logged into Cosign, and hit 
a shib resource, you are shown uApprove and then sent on to your site.

Ideally, campus SPs shouldn't have to change their sites / applications. 
Ideally, this would be centrally provided, so it's something that would 
"just be available" to people who'd already deployed Shib.

Currently, most sites are using the SSO for authentication, meaning the 
only authentication screen is the central one provided by the SSO.

We could add the social login options there.. but if we did, we'd need to 
extend the SSO such that it could accept authentication from those 
sources (which would be a problem in itself).

We were trying to figure out if the SSO could maybe identify requests from 
Shib (via referrer?) and only display those extended options to Shib auth 
requests.  I don't think that would work, because by the time people are 
directed to our login screen, it's because the SP has already generated an 
authentication request for *our* IdP.  We can't just take that and send it 
on someplace else. It seems that the only situation where that sort of 
thing might work is when the request is routed through a DS or WAYF.

I'm not sure how feasible it is to turn the login page for our SSO into a 
DS (and still allow it to be used as the authenticator).. and even if it 
/is/ possible, I'm not sure that it's a good idea.  It seems like an 
intersitial page would be required - it could be attractive and well 
camoflauged, but it'd still need to be there.

I'm looking for comments / suggestions / ideas (someone willing to have an 
extended discussions would be most appreciated).


More information about the users mailing list