OpenID as a Single Sign On option?

openid single-sign-on
17,764

Solution 1

Also, SSO (as you mentioned) usually implies that I only have to login once (presumably to my workstation) and then from there on, I don't need to sign-in anywhere.

OpenID of course doesn't solve that problem. For example, if I use OpenID to sign in to StackOverflow, it doesn't mean I don't need to sign in to another website again using the same openID.

Solution 2

I have to say that I absolutely agree with the statements on it being too difficult for the "average" Internet user. I think that OpenID could still be considered "new", even though the original proposal was back in 2005. More high traffic sites are taking it up as just an option for creating an account, rather than requiring users to have an OpenID present.

In my opinion, as long as normal username/password account creation is offered alongside OpenID, average Internet users will naturally begin to try and eventually stick with using OpenID.

The authentication issues apply just as much to OpenID as registering on any website. You put your trust in the website with your password (assuming you do not use a password storage program) so that shouldn't be used against OpenID.

All that aside, the standardization of account creation is absolutely cream gravy to a web developer. I'd just love to not even have to worry about the normal creation process, and rather just drop in an OpenID library and reference it to the database.

Solution 3

It took me a while to understand OpenID (so many providers!) but I really like the concept. Tie it in with Gravatar and rewriting your profile is much more painless - perhaps one or two fields.

The only issues are that you have to trust your OpenID provider - but that's not really what I'd call a problem, more like common sense.

Edit: People having problems with OpenID providers should consider setting up a new one. My provider is myopenid.com and I've had no problems. You can setup multiple personas (like profiles) so I have one for blog comments, one for technology sites like this.

As for having a new SO profile Jeff said something about being able to change your OpenID without losing your profile stats in the future.

Solution 4

There is one tiny problem with OpenID.

Seamlessly logging in with OpenID requires automatic (unverified) redirection between domains.

That makes the OpenID server a 3rd party. This can cause cookies for the OpenID server to be rejected if you turn off 3rd party cookies and your browser strictly follows the Unverifiable Transactions rule in 3.3.6 of RFC2965.

An example of this is Opera. If you turn off 3rd party cookies (by setting the global to "Accept only cookies from the site I visit"), you can't log in with OpenID because the server script you submit to automatically (without your interaction to approve it) redirects you to the OpenID server and the OpenID server does the same to get you back.

But, you get lucky in Firefox, IE and Safari with their corresponding blocking of 3rd party cookies because they violate RFC2965 in multiple situations.

Having to use OpenID in this case does a disservice to more compliant clients.

As a workaround, in Opera, besides accepting all cookeis, you can goto tools -> preferences -> advanced -> Network and turn off Automatic Redirection. Then, you'll be able to verify and click each link you're redirected to and the cookies won't be rejected because the transactions are verified.

It should also work if you keep Automatic Redirection on and both servers generate a page with a link for you to click on so you can verify the transaction. But, there can't be any automatic redirects anywhere.

Logging in with just a username and password where you're only dealing with first party cookies would be much better in this case.

OpenID is still cool though and I guess Opera just needs an option to allow unverifiable transactions between SO and your OpenID server so that you can use "Accept only cookies from the site I visit" here.

Solution 5

The best answer on can someone briefly explain Single sign on? i want to use openid as SSO explains well how OpenID and SSO are different:

Single-sign-on is about logging on in one place and having that authenticate you at other locations automatically. OpenID is about delegating authentication to an OpenID provider so you can effectively log on to multiple sites with the one set of credentials.

The same post also gives an excellent answer to the original question:

You could use OpenID as your authentication scheme for SSO but that's incidental.

Share:
17,764

Related videos on Youtube

Ivan Arrizabalaga
Author by

Ivan Arrizabalaga

developing software again!

Updated on April 21, 2022

Comments

  • Ivan Arrizabalaga
    Ivan Arrizabalaga about 2 years

    I'm just looking for different opinions. Do you consider OpenID a good "Single Sign On" solution?

    The way it works seems to be a little bit confusing for an average user and there could be problems related to "putting all your eggs in the same basket".

    Anyway, have anyone tried to implement his own OpenId solution within the context of an Intranet where there are many different applications (Wordpress, Elgg, Media Wiki, ..)??

    I consider it could be a great solution to solve the "Digital Identity" problem but I don't know if it will work with the "login once and surf the Intranet" problem.

    Opinions?

  • tpower
    tpower over 15 years
    You might have to provide you OpenID to a second website, but can't the OpenId provider authenticate you without asking for a password the second time?
  • null
    null over 15 years
    If you have cookies enabled in your browser, and you have "allowed" the OpenID provider to automatically authenticate you. Then it would appear that you would "automatically" be logged in ... because the cookie would be picked up by the provider and you'd be redirected back.
  • lexu
    lexu over 15 years
    My primary browser is opera on OSX, the thinking being, that I present a smaller target for hackers.. and have been "forced" (read "inconvenienced") to use Firefox and cut&paste (RSS links will go to Opera) .. I'll try the suggested route ..
  • lexu
    lexu over 15 years
    I've just logged in with "Automatic Redirection" disabled .. I had to click 3-4 links both going from SO to myopenid's login page and back. Looks to me the "redirection" is used as I would a procedure/method call ... very inconvenient. A direct login to SO would be so much easier!
  • X-Istence
    X-Istence almost 15 years
    StackOverflow now allows you to have multiple OpenID login providers for the same account. As for the whole filing out account information, that has been solved with the OpenID Simple Registration Extension that can allow the user to choose to share his nickname, realname, dob, sex, email, and a few other key pieces of information. No more filing out profiles on each and every page you sign in with an OpenID.
  • X-Istence
    X-Istence almost 15 years
    Who says that for OpenID that is only used on a single site you have to have the users enter the URL? Instead have them hit the login link, and automatically re-direct them to the OpenID login page. Just as simple, and no URL typing for the user involved.
  • jcolebrand
    jcolebrand over 12 years
    I realize this is like three thousand years later, but whatever. The redirection IS a procedure method call set of redirections. It has to go through you as an endpoint, s it is annoying and inconvenient. Just for the betterment of future readers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to add Social login services from Google, Facebook, Yahoo etc. to my website?
How to detect if an email is a Google Account?
Best way to implement Single-Sign-On with all major providers?
Authenticate flutter app with keycloak and openid_client
Sample cypress script to bypass SSO
How to integrate Azure AD SSO in flutter app
How to disable Facebook single sign on for android - Facebook-android-sdk
What's the difference between AWS SSO and AWS Cognito?
How to get Service Token from Kerberos using SSPI
Steps to implement SSO for php application