![[OpenID enabled]](http://lid.netmesh.org/images/openid-relying-party-anonymous.gif)
![[XRI enabled]](http://lid.netmesh.org/images/inames.gif)
![[LID enabled]](http://lid.netmesh.org/images/lid-relying-party-anonymous.gif)
LID Multi-step SSO
From LID Wiki
LID Multi-step SSO serves a function similar to the .rhosts mechanism in UNIX operating systems; however, far more securely.
Consider the following scenario: Alice owns 2 Personal LIDs (let's call them LID_A and LID_B) that she keeps separate in order to avoid identity correlation between her different on-line Personas. Without Multi-step SSO, she will have to authenticate herself separately to both of her two Personal LIDs in order to use both LID URLs with various LID Relying Partys.
Multi-step SSO allows Alice to use LID_A to authenticate herself against LID_B (instead of using a separate password, for example). By doing so, she uses LID_A to single-sign-on not only into LID Relying Partys that expect LID_A. But she also can single-sign-on into LID Relying Partys that expect LID_B. When LID_B challenges Alice to prove that she is indeed Alice, she proves this by proving that she owns LID_A (LID_B is a LID Relying Party for LID_A).
In principle, this process can be continued indefinitely (in practice, it is limited by the number of HTTP redirects a browser will perform in a sequence, and the length of URLs supported by a browser). Of course, LID_B must be configured to accept Single-Sign-On assertions to LID_A.
Note that the only entity in this setup that can correlate her two Personal LIDs is LID_B. Neither LID Relying Partys that accept LID_A nor LID Relying Partys that accept LID_B can correlate her Personal LIDs.
LID Multi-step SSO can be performed with all authentication services supported by LID, such as OpenID and LID SSO Service.
