Refeds


Subject Re: advice on redirect from email for discovery?
From "Miroslav Milinovic" <miro@xxxxxxx>
Date Wed, 15 May 2013 14:52:37 +0200

Hi all!

I also (shortly) discussed that with Roland who's reaction was that this looks like a broken WAYF/WFAYF.

IMHO this approach confuses user.

Imagine that she/he is already logged in and types anon@myrealm in the username box, then suddenly (before he managed to type in his password) systems starts some redirect and he is loggged in Office 365. Strange SSO experience, isn't it?

Shall we now train our users to type in their username (uid) and than wait to be prompted for password? (actually this look better than current experience with Office 365 where you can continue typing in your password ... although it willl not help you).

For those who'd like to test themselves - trying anything@xxxxxxx would be harmless but confusing experience.

I wonder if MS can (or does already?) provide a different login page for federated ids?

Regards

Miro


----- Original Message ----- From: "Nicole Harris" <harris@xxxxxxxxxx>
To: "refeds@terena. org" <refeds@xxxxxxxxxx>
Sent: Wednesday, May 15, 2013 2:20 PM
Subject: [refeds] advice on redirect from email for discovery?


Hi All

(with thanks to Miro for pointing this out). The latest incarnation of Office365 web login (https://login.microsoftonline.com/) uses redirection to the IdP based on the email address a user types in. We've discussed this on the list in the past, but this is the first time I have seen an implementation of it. Effectively the experience is:

 - type your email address in the email box.
- click on the password box, a 'redirecting message appears (but is slow to react).
 - user is redirected to the usual organisational login screen.

If you want to see it in action, make up a fake email based on @kcl.ac.uk, @sheridancollege.ca or @srce.hr or any site you know that uses 365.

Ther are obviously a lot of known problems with this approach that we've discussed before ( although also some benefits), however we don't specifically reference this approach anywhere in our guidance. Should we do something to include it? Are we likely to see more people using this as an approach, or is this isolated enough that we shouldn't worry about it now?

thoughts?

Nicole

--
----------------
Project Development Officer
TERENA
Singel 468 D
Amsterdam, 1017 AW
The Netherlands

T: +31(0)20 5304488
F: +31(0)20 5304499

mob: +31(0)646 105395