LID SSO Profile

From LID Wiki

The LID SSO Profile, together with the LID Relying Party Profile defines the protocol by which LID Clients and LID Servers interact in order to:

1. create a single-sign-on (SSO) experience for a user across multiple LID Relying Parties.
2. implement a uniform way by which LID Clients' requests can be authenticated by the receiving LID Servers.

In the general case, three machine actors participate in the LID SSO Profile:

• the user agent (such as the user's browser from which the user wishes to experience SSO)
• the software behind the user's own LID(tm) URL, which is the software that may or may not conform to the LID SSO Profile.
• the software behind the LID Relying Party that is the 'target' of the SSO.

LID(tm) URL supporting the LID SSO Profile may receive requests of the following form:

LIDURL?lid-action=sso-approve&lid-target=TARGETURL

[Changed: TARGETURL is now a composite URL. That way, we can support SSO across multiple LIDs, one authenticating the next]

where TARGETURL is a composite URL of the form BASETARGETURL?lid-credtype=TTT, with:

• TTT: a credential type the target is willing to accept
• BASETARGETURL is the URL of the target.

As a response to this request, the software behind the user's LID URL may do whatever it needs to do to authenticate the user behind the user agent (e.g. ask for a password, be satisfied with a session cookie that it issued earlier, require an iris scan ...).

If and when this authentication of the user session was successful, the software returns an HTTP redirect to the target URL, with the following form:

TARGETURL?lid=LIDURL&lid-credtype=TTT&lid-nonce=NNN&lid-credential=CCC

where:

• CCC is the credential issued by the user's LID(tm) URL software for use by the target URL.
• NNN is the current date and time, in milli-second resolution, of the current time at the server hosting LIDURL according to ISO 8601 (overview) in the extended format and the UTC time zone, such as 2005-09-10T07:50:56.123Z.

See also LID Relying Party Profile.

Multi-step SSO

See also Multi-step SSO.

It has turned out that sometimes, LID SSO Profile needs to support a multi-step single-sign-on process. For example, in order to be able to authenticate to Site 2, a human user may need to authenticate herself to Site 1 (such as her own LID(tm) URL). Only once authentication against Site 1 was successful will Site 1 be willing to endorse the single-sign-on to Site 2 by signing the target URL.

In order to support this, LID SSO Profile allows the lid-target parameter to be either a simple or a composite URL, depending on whether the specified target URL is the final destination of the process, or only an intermediate step.

For example, if the user specifies http://user.example.com/ as his LID(tm) URL when attempting to authenticate against site http://www.example.com/, the latter will redirect the browser session to the LID(tm) URL with parameters

http://user.example.com/?lid-action=sso-approve&lid-credtype=AAA&lid-target=http://www.example.com/

However, if the user is not yet authenticated at his own LID(tm) URL, the LID(tm) URL will issue an authentication challenge on its own, which can take a variety of formats (there is no need to standardize because this ceremony is entirely between the user and their very own LID(tm) URL). For the discussion here, let's assume that the challenge is for the user to prove that she is authenticated at another LID(tm) URL called http://root.example.com/.

If so, http://user.example.com/ will issue a redirect to the following URL:

http://root.example.com/?lid-action=sso-approve&lid-target=CCC

where CCC is the following composite URL, properly escaped per appropriate RFC (not shown) so that no confusion occurs about which parameter is quoted and which is not in the composite URL.

http://user.example.com/?lid-action=sso-approve&lid-target=http://www.example.com/%3Flid-credtype=AAA

On the return leg of the Multi-step SSO, the respective target URLs are unpacked, step by step, and the user can thus be authenticated at the ultimate target site.