Subject Re: advice on redirect from email for discovery?
From Rhys Smith <smith@xxxxxxxxxxxxx>
Date Wed, 15 May 2013 17:37:10 +0100

I had the same reaction as Roland initially - when I first saw the flow a while back I thought it was broken somehow; when I realised it was acting as intended I was fairly horrified...

In answer to your specific question, if it's an approach - and one that might see more use in the future by the big few (MS, Google, etc) - then the REFEDS guidance absolutely should reference it (no point ignoring it), but point out the various flaws in the approach: that way people looking for guidance to figure how *they* should do it can make an informed decision.

On 15 May 2013, at 13:20, Nicole Harris <harris@xxxxxxxxxx> wrote:

(with thanks to Miro for pointing this out).  The latest incarnation of Office365 web login ( uses redirection to the IdP based on the email address a user types in. We've discussed this on the list in the past, but this is the first time I have seen an implementation of it.  Effectively the experience is:

- type your email address in the email box.
- click on the password box, a 'redirecting message appears (but is slow to react).
- user is redirected to the usual organisational login screen.

If you want to see it in action, make up a fake email based on, or or any site you know that uses 365.

Ther are obviously a lot of known problems with this approach that we've discussed before ( although also some benefits), however we don't specifically reference this approach anywhere in our guidance.  Should we do something to include it?  Are we likely to see more people using this as an approach, or is this isolated enough that we shouldn't worry about it now?



