By way of discussion: I observe that "cancel" is a feature that selectors
have (I suppose they must all have a "cancel" button, right, to let the
user escape from the selector UI?) that, in my experience, the web-form
login pages used in redirect-signon schemes (SAML, openid, all the
homegrown ones) don't have; nor do the protocols support the concept.
That is, in SAML there's no protocol message for "user visited IdP but
didn't authenticate". If the user arrives at a login web page and can't
or doesn't authenticate using it, it's up to the user to go back to the
originating app (and often the back button doesn't work to do this) or
whatever else they want to do. This ends up placing the burden on apps to
be very careful about how and when they redirect users for authentication,
which I'd say is the opposite of what we want apps to do.
Does it seem to others that "cancel" behavior in information cards needs
more standardization (or is it standardized already and I'm just not aware
of it)? If so should this be done in the IMI TC?
- RL "Bob"
> By way of discussion: I observe that "cancel" is a feature that
> selectors
> have (I suppose they must all have a "cancel" button, right, to let the
> user escape from the selector UI?) that, in my experience, the web-form
> login pages used in redirect-signon schemes (SAML, openid, all the
> homegrown ones) don't have; nor do the protocols support the concept.
> That is, in SAML there's no protocol message for "user visited IdP but
> didn't authenticate". If the user arrives at a login web page and
> can't
> or doesn't authenticate using it, it's up to the user to go back to the
> originating app (and often the back button doesn't work to do this) or
> whatever else they want to do. This ends up placing the burden on
> apps to
> be very careful about how and when they redirect users for
> authentication,
> which I'd say is the opposite of what we want apps to do.
This sound to me like you're exposing a flaw in the redirect-signon
schemes
(SAML, OpenID, etc). Is that your intent?
> Does it seem to others that "cancel" behavior in information cards
> needs
> more standardization (or is it standardized already and I'm just not
> aware
> of it)? If so should this be done in the IMI TC?
Doesn't "cancel" mean that a user wants to terminate the process in
which
they are engaged? I.e. "I changed my mind and don't want to do that".
Let
me put in this way. If it doesn't mean that to a user and it isn't
handled
gracefully (by whatever mens), then the designers go on Santa's
"naughty"
list. Those comments are not peculiar to information cards. There's
already a "standard" for information cards to follow.
So, to answer the question you asked in the subject line, the user has
started a process by pushing some kind of "login" button. "Cancel"
should
terminate that process and to be graceful, should return the user to
where
they were as if that button had never been pushed.
Eric Norman
> I had thought that the selector was supposed to return control silently
> to the RP, without posting a token?
Sorry, I'm slow(er) today. The sequence is:
1. browser sends GET (or whatever) to server
2. server sends response to browser with embedded trigger(s)
3. browser sees trigger, invokes selector
4. user clicks cancel in selector UI
5. ?
Does 5 involve the browser sending something to server? If so, what
should it be?
- RL "Bob"