Canonical SSO provider

Enable user-controlled auto-login

Reported by Stuart Metcalfe on 2010-07-01
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Wishlist
Unassigned
LoCo Team Portal
Wishlist
Unassigned

Bug Description

Auto-login is currently a feature for trusted sites only and cannot be controlled by our users for their favourite sites. We also implemented check_immediate for trusted sites in bug #449708. We should add a feature to enable users to auto-login to any site they visit and subsequently control these settings.

Some initial suggestions:

 * Limit server-controlled auto-login to trusted SSO sites (see bug #600224) ie: all trusted SSO sites automatically get auto-login - it doesn't have to be enabled because it's assumed to be part of the full SSO experience.
 * Add a "Log me in to this site automatically" checkbox near the login button on the openid confirmation page. This should be unchecked by default. When checked, subsequent logins should happen using the existing auto-login code, except...
 * If the information requested by the consumer is added to (not removed from - we don't need to inform the user of less info than originally approved being sent) then we should not auto-login. The new info will be clearly identified (see bug #121533). The "Log me in to this site automatically" checkbox should be checked by default so the auto-login continues to work next time, unless the user changes their mind.
 * We should add a "Sites" view which enables the user to manage all sites they have logged in to, ever (so it should be paged, sorted by last login date). This should enable them to set whether they can auto-login to the site with a checkbox.
 * A site which can auto-login should also be able to do check_immediate as long as the requested info isn't added to since auto-login was set. Otherwise, it should respond negatively forcing the user to have to confirm the change as described above.
 * Question: Should a user be able to change their auto-login preference for a server-set auto-login (ie: trusted SSO site)?

description: updated
description: updated
tags: added: proj-openit

Note for QA: When this gets implemented, we should test that changes in requested data temporarily prevent auto-login under described conditions so the user can approve changes in exposure of their data, as described in bug #121533.

Changed in loco-directory:
status: New → Confirmed
importance: Undecided → Wishlist
Adnane Belmadiaf (daker) wrote :

Any updates on this ?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints