Refeds


Subject Re: advice on redirect from email for discovery?
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Wed, 15 May 2013 18:17:48 +0200

Quite interesing, if only for the fame, size and presumed (or
documented) wealth of the company involved. Comments below.

* Nicole Harris <harris@xxxxxxxxxx> [2013-05-15 14:20]:
> (with thanks to Miro for pointing this out).  The latest incarnation
> of Office365 web login (https://login.microsoftonline.com/) uses
> redirection to the IdP based on the email address a user types in.

FWIW, neither with en-US nor de-AT locate do I get asked for an email
address, it states "Sign in with your organizational account", and the
form field is pre-populated with "someone@xxxxxxxxxxx".
As such you could also claim that they are asking for your kerberos
principal or eduPersonPrincipalName (or eduPersonScopedAffiliation, if
your will and they would work just as "well").
Or -- more interestingly -- your NetID, assuming either a) it is
scoped, or b) you did not pay attention to the structure of the
example identifier and just enter your "organizational account" (login
name, uid, NetID).
I.e., it's remarkable they rely on the example string /alone/ to
convey they in fact want to you enter a (string containing a) DNS
domain.
Which I find interesting, as not paying attention to and interpreting
the "structuredness" aspect of the example string accordingly may lead
to quite a few people entering strings which do not in fact contain
their instituitional DNS domain, which seems to be the whole point of
this exercise.

Also mildly interesting is the fact that this requires more work
(pointless typing of the left hand side of the scoped identifier) on
part of the user in order to avoid having to explain what a domain is.
Though admittedly not much more typing compared to the Shibboleth EDS
/if/ (as I've seen people do) you look up your institution by starting
typing with "University ", which is a lot of typing and hardly narrows
down the possibilities in many REFeds.

And yes, the interface is definitively too slow to prevent entering
the password and hitting return as well (my userid is rather short).

I'm guessing that if they said "email address" (no matter it'd by
prepended by "organizational") people would enter their private
non-institutional address. And even that has weird effects:
When I entered foo@xxxxxxxxx (not something I control) as account it
redirected me from https://login.microsoftonline.com/ to
https://login.live.com/login.srf?cbcxt=&vv=&username=foo%40gmail.com..etc.

Hitting the back-button keeps you at https://login.live.com with no
way to return to https://login.microsoftonline.com/ (at least in an
oldish Firefox/Iceweasel 10 browser).

But then what do I know about UI/UX.
Maybe they have the numbers proving that Doing It Wrong leads to
preferrable results (from their point of view).
Maybe they don't.
-peter