0

I am creating a third-party service which consolidates a user's web-apps. I was looking at Google's OpenID Connect solution or their Oauth solution as a SSO to a user's web-apps.

I have some criteria which I'm not sure it can handle.

  • My service needs to be able to see which Relying Parties a person has used the SSO.
  • My service needs to be able to send a flag to the Relying Parties to communicate the state of a user who can't do so themselves.

  • The flag is sent, ideally, automatically to all of the relying parties that a user has used the SSO.

  • The Relying Parties need to get more information attached to each user rather than just login credentials.

It seems like I will need to implement the Identity Provider myself, but I am hoping to avoid that as this is just a proof of concept prototype. Thanks!

ANX
  • 1

2 Answers2

0

Yes, you'll need to be the OpenID Connect provider (OP) for tracking the Relying Parties (RPs) that a user has logged in to, to communicate state to RPs and to provide extended user identity information to RPs. Those Relying Parties need to allow their users to configure your OpenID Connect provider for login. What you may do is to "outsource" the actual authentication to Google again by providing some sort of bridging between the RPs and Google's OP but that would require you to implement both the OP part (to the RPs) as well as the RP part (to Google's OP).

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • I was looking to use something like this: http://www.gluu.org/docs/admin-guide/introduction/. It appears to do everything that I need it to do. – ANX Aug 20 '15 at 00:22
0

Are these replying parties in your control? If not, how would you ensure that they are willing to accept your identity provider? If they are under your control then they could send information to the service you are building.

From the question it sounds like you want to allow a user to track all the random services/sites s/he is using. I think this couldn't be done with your own IDP or with the solution proposed by Hans.

nvnagr
  • 2,017
  • 1
  • 14
  • 11
  • The RPs are not in my control, so I can't ensure that they are willing to accept my IP. There are incentives for them to do so, but this is just a proof of concept. That is what I'm trying to do, but I'm also looking to do more. The RPs need to be able to be alerted about a user's change of state without the user themselves alerting each individual RP. This is ideally done through the IDP automatically. Am I in need of something more than just OpenID Connect? I was hoping to use this: http://www.gluu.org/docs/admin-guide/introduction/ – ANX Aug 20 '15 at 00:13