Category: PayPal

Session Timeout for PayPal OpenID

While setting up as an OpenID provider to enable third party authentication, two issues came up for session management:

  1. The session timeout for is set for a short duration. As a payment provider, it makes complete sense; However, as an Identity provider it didn’t result in an ideal experience It required user authentication for every RP access and hence added to user friction. RP’s preference was for a more seamless user experience and reduce (if not eliminate) the login challenge.
  2. The concept of login to a site using another site’s credentials is still new. Users were not sure if they were login to a RP or PayPal or both; Users didn’t always realize that by using to login to a RP, they were leaving an active session at PayPal.

We wanted to make sure tha the security of the user’s account wasn’t compromised; while providing the best experience that we can offer. We took a couple of measures:

  • Decouple the OP session from – If you use PayPal as an OP, it will not result in an active session at
  • Allow the OP session to be longer lived – The maximum duration for OP session is 8 hours. Depending on the RP’s preference, user may not be challenged again for 8 hours.
  • Allow RPs to request session duration via max_auth_age – Depending on the sensivity of the transactions, RPs can request their session duration preference. It can be done either at on-boarding time or during the OpenID Authn request.

There are a still a few more tweaks that we are planning to make in the near future, but we believe the current solution will allow RPs to have a better control of the user experience.

Login to Google Apps using PayPal

It was great to see Pam setup and configure PingFederate to accept PayPal OpenID and show login to Google Apps.

The following screen cast illustrates:

  • User accesses (a Google Apps domain)
  • SAML SP Initiated SSO to PingFederate.
  • PingFed redirects to PayPal OpenID endpoint for authentication.
  • User authenticates at
  • PingFed accepts PayPal OpenID response, creates a SAML assertion and redirects to integralcurve.
  • User is logged in to integralcurve.

Another feature that’s not shown here is to configure the solution for user’s to select their own IdP at run time. This can potentially allow Google Apps hosted enterprises to offer their employees a handful of IdP options (PayPal, Enterprise AD, Facebook…) and let the employees pick the one they feel most comfortable with.

SAML SSO using PayPal

One of the benefits of using Open standards is the interoperability with other product and solutions. I connected with the Intel Cloud Access 360 team during IIW. And it took less than an hour to hook up PayPal Authentication to Google Apps and Salesforce login via SAML.

The following screen cast illustrates how Intel Cloud Access 360 can
a. initiate OpenID request to PayPal
b. accept PayPal OpenID response
c. create a SAML assertion with appropriate attributes to login into

PayPal OpenID Implementation details

Follow up to the previous entry for PayPal OpenID provider:

Main Links

OpenID Endpoint
OpenID Identifier
This should return the XRDS that can be used to discover the end point)
Docs Link
Submit RP for whitelisting!input.jsp

Simple Registration (

openid.sreg.required email,fullname,dob,postcode,country,language,


Attribute Exchange (
Generic Attributes

first name
last name
full name

PayPal Specific Attributes

Verified Account
Payer ID



max_auth_age [ integer value greater than or equal to zero in seconds]
preferred_auth_level_types papeauthlevel1 papeauthlevel2

Image | WordPress Themes