|
|
saml-dev - RE: [saml-dev] SP --> IDP Auth
|
Message Thread:
Previous |
Next
|
- From: "Jahan Moreh" <jmoreh@sigaba.com>
- To: "'Cahill, Conor P'" <conor.p.cahill@intel.com>,"'prasanta behera'" <pkb.prasanta@gmail.com>,<saml-dev@lists.oasis-open.org>
- Date: Mon, 28 Nov 2005 11:44:42 -0800
- Send Email to saml-dev@lists.oasis-open.org:
- Send new message
- Reply to this message
|
If the idea is to get a precise "Yes or No" answer, I agree
with Conor. But, if the intent is to know if the IdP has previously
authenticated the user, then I think the SP can use an
<AuthnQuery>.
Thanks,
Jahan
SP wants to know if the user is authenticated or not (status: Y or N)
at the IDP? How can I do that?
There is *NO* way to do this in SAML (1.0 or 2.0).
The
other answer's I've seen all deal with answering the question "Is the IdP
willing to establish and/or share an authentication session with the SP?' or
from the SP's point of view "Please provide whaterver authentication
information you are allowed to provide for this user?"
If
everything works and all permissions are granted, the SP finds out that the
user is authenticated and that the IdP was willing to share that information
with the SP.
If
it doesn't work (for many different reasons) the SP gets nothing. So the
SP can't tell if the user is authenticated or not at the IdP when it gets
nothing.
There are many cases where the user will be authetnicated at an IdP
where the SP cannot figure that out.
Conor
|
|