Monday, November 06, 2006

SSO? No, RCSO - Really Complicated SignOn

Pam Dingle recently spent some time testing various web browsers for their ability to offer up clues as to which CardSpace-like identity devices were a) available and b) preferred by the user. Her findings: "ItÂ?s a little messy. Ok itÂ?s a lot messy."

What Pam found was that -
"The CardSpace team has given us a way to test whether their client is installed (which I really appreciate), but sadly, the way that they have given us can only be evaluated using a scripting language that runs on one brand of browser. What we all really need is a way to tell if *any* identity selector is installed or, in a future perfect world, *which* identity selector is installed, in a vendor-agnostic way."
Until this gets solved, the promise of user-centric web-based simplified signon will remain just that, a promise.

You may think it would be OK to simply add a button to the web site that says words to the effect of [Authenticate via CardSpace] but that's little better since you'd need a selector button for each implementation of an iCard. Not to mention another button for all of the rest of the OSIS crowd. And, frankly, I'm not going to clutter up my web page with all those buttons, tags and fields.

Simplified SignOn has to actually be simplified if we expect anyone to actually use it.

You don't need a separate button for each selector implementation. There are already at least 3 different selectors in use today, and they all use the same buttons.

The RP doesn't need to know what selector you are using, and doesn't care. It only cares if it's policy can be fulfilled.

The main difficulty is determining if identity cards are supported at all. This is still trick as Pam points out. That being said, once you've determined support, a single "Authenticate via Cardspace" button should suffice.
Hi Dave,

There should be no need for separate links or buttons, since invocation of the plugins work -- it's just the proactive detection that is difficult. In the worst case, it means you can't assume that just because no selector was detected, one doesn't exist. You have to let the user click the "use an information card" link, even if you're pretty sure that it will fail, just in case something will pick up the mime type, and then if nothing does pick it up, you need to explain what happened after the fact.

I'm guessing that this isn't a showstopper, just an evil that gets worked around over and over again. It hasn't stopped the flash folks or the quicktime folks, and so I don't expect it to stop the identity folks either. That being said, maybe we can positively contribute to encouragement of the IE7 team to re-examine support for the navigator.plugins and navigator.mimetypes object, and thus save countless people untold numbers of future blood pressure points :)


Hi Dave, Sorry to use this post as an inquiry but your email seems to not be working properly.
I am working on a Masters Degree project. As part of my research am surveying the options for networking two Macs for use with audio production.
If you (or anyone viewing) have any ideas or info on the topic, please feel free to contact me at:


Tony Schultz
Studio owner - Big T Productions
Instructor - New England Institute of Art
Boston, MA
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]