Enclosed is a modified version of the push model that you may add to
give the TC a "smorgasboard" to select from. It follows the Strawman 1
terminology and uses the same ugly graphics :-)
Single Sign On Push Model #2
1. Web user authenticates with source Web site.
2. Web user requests link to destination Web site.
3. Source Web site request authorization profile for the resource to be accessed (unsigned)
4. Destination Web site returns authorization profile (signed)
5. Source Web site requests authorization for Web user to use destination resource from destination Web site (signed)
6. Destination Web site returns authorization reference to Source Web site (signed)
7. Source Web site provides user with authorization reference and redirects user to destination Web site.
8. User requests destination resource from destination Web site, providing authorization reference.
9. Destination Web site provides resource to Web user.
The advantages/differences compared the original push model is that:
- The Destination Web site is authenticated before gving away auth. info.
- More flexible auth. scheme. Destination Web site may change auth. req. without system failure
- Source Web site may indicate to Web user what it is giving away in terms of info *before* actually doing it
- Rounds 5-6 and 7-8 *may* be replaced by a locally redirected POSTed HTML-form requiring a single round
and *zero* Destination Web auth. state-holding. The actual method to use can be *negotioated* without
extra requiring rounds.