While describing the pseudonym it was told that two user identities can be integrated by the IdPs. For example, I have a gmail account narasimmanr@gmail.com and a yahoo account narasimmanr@yahoo.com. I want to link these two accounts. How will I do this?
- I will login to one of the accounts, say yahoo.
- Send a message to Yahoo to link my gmail id
- Yahoo will send a mail to Gmail stating that narasimmanr@yahoo.com wants to link narasimmanr@gmail.com
- Since yahoo must know that both the accounts are owned by the same individual
- Gmail will send a mail to narasimmanr@gmail.com for permission
- when I login to narasimmanr@gmail.com I see this mail and gives the permission.
- Gmail will send the permission to Yahoo
- Both accounts are linked
The happy path scenario works very well.
But the alternate path is where the doubt arises.
If narasimmanr@gmail is not owned by me. The real owner will look at it and rejects this. No problem. Gmail will send a rejection request to Yahoo and Yahoo replies back to me saying that the linking has failed.
If the other person, knowingly or unknowingly, accepts the linking. Now, I can reach out to his google apps through my Yahoo id and all other sites that trusts google. Same is applicable to him/her as well.
Question is how one can avoid this?
In the correct scenario, the delinking will also work. In the other scenario, if I delink the two accounts, will there be a confirmation from other account also? I think this is not required since once the account is linked both the IdP thinks that it is a single user.
Any thoughts on this?
1 comment:
Good blog on SAML 2.0 and its trust between yahoo and gmail... However you have raised tricky scenario... need to think a deep to answer your question….
Post a Comment