Category: PayPal

Session Timeout for PayPal OpenID

While setting up PayPal.com as an OpenID provider to enable third party authentication, two issues came up for session management:

  1. The session timeout for PayPal.com is set for a short duration. As a payment provider, it makes complete sense; However, as an Identity provider it didn’t result in an ideal experience It required user authentication for every RP access and hence added to user friction. RP’s preference was for a more seamless user experience and reduce (if not eliminate) the login challenge.
  2. The concept of login to a site using another site’s credentials is still new. Users were not sure if they were login to a RP or PayPal or both; Users didn’t always realize that by using PayPal.com to login to a RP, they were leaving an active session at PayPal.

We wanted to make sure tha the security of the user’s PayPal.com account wasn’t compromised; while providing the best experience that we can offer. We took a couple of measures:

  • Decouple the OP session from PayPal.com – If you use PayPal as an OP, it will not result in an active session at PayPal.com.
  • Allow the OP session to be longer lived – The maximum duration for OP session is 8 hours. Depending on the RP’s preference, user may not be challenged again for 8 hours.
  • Allow RPs to request session duration via max_auth_age – Depending on the sensivity of the transactions, RPs can request their session duration preference. It can be done either at on-boarding time or during the OpenID Authn request.

There are a still a few more tweaks that we are planning to make in the near future, but we believe the current solution will allow RPs to have a better control of the user experience.

Login to Google Apps using PayPal

It was great to see Pam setup and configure PingFederate to accept PayPal OpenID and show login to Google Apps.

The following screen cast illustrates:

  • User accesses integralcurve.com (a Google Apps domain)
  • SAML SP Initiated SSO to PingFederate.
  • PingFed redirects to PayPal OpenID endpoint for authentication.
  • User authenticates at PayPal.com.
  • PingFed accepts PayPal OpenID response, creates a SAML assertion and redirects to integralcurve.
  • User is logged in to integralcurve.

Another feature that’s not shown here is to configure the solution for user’s to select their own IdP at run time. This can potentially allow Google Apps hosted enterprises to offer their employees a handful of IdP options (PayPal, Enterprise AD, Facebook…) and let the employees pick the one they feel most comfortable with.

SAML SSO using PayPal

One of the benefits of using Open standards is the interoperability with other product and solutions. I connected with the Intel Cloud Access 360 team during IIW. And it took less than an hour to hook up PayPal Authentication to Google Apps and Salesforce login via SAML.

The following screen cast illustrates how Intel Cloud Access 360 can
a. initiate OpenID request to PayPal
b. accept PayPal OpenID response
c. create a SAML assertion with appropriate attributes to login into Salesforce.com

PayPal OpenID Implementation details

Follow up to the previous entry for PayPal OpenID provider:

Main Links

OpenID Endpoint https://www.paypal.com/webapps/auth/server
OpenID Identifier https://www.paypal.com/webapps/auth/server
This should return the XRDS that can be used to discover the end point)
Docs Link https://www.x.com/community/ppx/xspaces/identity
Submit RP for whitelisting https://www.x.com/create-appvetting-app!input.jsp


Simple Registration (
http://openid.net/sreg/1.0)

Prefix http://openid.net/sreg/1.0
openid.sreg.required email,fullname,dob,postcode,country,language,
timezone

 

Attribute Exchange (http://openid.net/srv/ax/1.0)
Generic Attributes

first name http://axschema.org/namePerson/first
last name http://axschema.org/namePerson/last
email http://axschema.org/contact/email
full name http://schema.openid.net/contact/fullname
dob http://axschema.org/birthDate
postcode http://axschema.org/contact/postalCode/home
country
http://axschema.org/contact/country/home
language
http://axschema.org/pref/language
timezone
http://axschema.org/pref/timezone
street1
http://schema.openid.net/contact/street1
street2
http://schema.openid.net/contact/street2
city
http://axschema.org/contact/city/home
state
http://axschema.org/contact/state/home
phone http://axschema.org/contact/phone/default


PayPal Specific Attributes

Verified Account https://www.paypal.com/webapps/auth/schema/verifiedAccount
Payer ID https://www.paypal.com/webapps/auth/schema/payerID

PAPE (http://specs.openid.net/extensions/pape/1.0)

preferred_auth_policies  

 

 

http://schemas.openid.net/pape/policies/2007/06/phishing-resistant 

http://schemas.openid.net/pape/policies/2007/06/multi-factor

http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical

max_auth_age [ integer value greater than or equal to zero in seconds]
preferred_auth_level_types papeauthlevel1 papeauthlevel2
auth_level.ns.papeauthlevel1 http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf
auth_level.ns.papeauthlevel2 http://www.jisa.or.jp/spec/auth_level.html

Image | WordPress Themes