This blog can't be viewed on LiveJournal. Instead see

  • Re: Stateless RP's?

    Right now the only common situation where an unsolicited positive assertion arises is when providers send back an assertion for a different identifer than was in the request.

    The subtle difference between EAUT-first and EAUT-in-discovery here is that in the former case there's no way to figure out what email address belongs to the URL in the unsolicited positive assertion, so you'll need to do traditional email validation on the email address the user entered. In the latter case, if the OP switches identifiers it can choose to send back an email address, and as long as discovery on that email address works out you've got a verified email address despite the unsolicited nature of the assertion.

    When I mentioned state in my message I wasn't referring to associations. What I meant was the RP remembering what email address the user entered to correlate it with the assertion later.

    By Martin Atkins at 06:06 am on 27th Oct 2008