Tuesday, May 20, 2008

OpenID and Single Sign On across sites

I have been reading up about OpenID and SSO as I try to work out how OpenID can enable federated Single Sign On.
There is an interesting page posted at: http://wiki.openid.net//Introduction
Read down through the page to the "Don't Procrastinate... Associate!" section. If you read through the section to the last paragraph it seems to define an OpenID handshake that allows us to achieve SSO.
If I am reading it right the protocol could use a Diffie-Hellman protected shared secret that can be used behind the scenes to determine if an id is still valid. Presumably if an account had been deactivate the shared secret would be invalid which would force a re-authentication.
Can someone with more detailed OpenID knowledge confirm or correct my thinking. Surely it can't be that simple? What am I missing?
UPDATE: I expanded on some of these thoughts on the Dataportability.org General group: Data Portability General Group