RE: [saml-dev] SP --> IDP Auth

["Cahill, Conor P" <conor.p.cahill@xxxxxxxxx>]

There's no way to ask that question either.   
 
The SP essentially says to the IdP "Hey, who is this person".   The SP
can add on that request a flag that says "Hey, if you would need to
interact with the user to answer that question, I (the SP) would prefer
that you did not do so".  This flag (IsPassive) can cause the IdP to
return "No" to the SP's request when it might otherwise have been able
to say Yes (assuming the interaction would have been successful).
 
So one could argue in the case where the SP already has a relationship
with the user, that the IsPassive query that fails could be interpreted
as a "they haven't already authenticated" however, I would say that
since they are not authenticated, the SP really doesn't know it is the
user that they think it is, so again, they don't get information unless
there is success.
 
The key in all of this discussion is understanding exactly what the SP
is asking.  And it is much more along the lines of what I said above (SP
says to IdP "Hey, who is this person").  The SP does not say "Hey is
this person authenticated at your service" or "Did this person
previously authetnicate at your service".
 
One might say I am splitting hairs, but I think the distinction is
important.
 
Conor


________________________________

        From: Jahan Moreh [mailto:jmoreh@xxxxxxxxxx] 
        Sent: Monday, November 28, 2005 2:45 PM
        To: Cahill, Conor P; 'prasanta behera';
saml-dev@xxxxxxxxxxxxxxxxxxxx
        Subject: RE: [saml-dev] SP --> IDP Auth
        
        
        If the idea is to get a precise "Yes or No" answer, I agree with
Conor. But, if the intent is to know if the IdP has previously
authenticated the user, then I think the SP can use an <AuthnQuery>.
         
        Thanks,
        Jahan
         


________________________________

                From: Cahill, Conor P [mailto:conor.p.cahill@xxxxxxxxx] 
                Sent: Monday, November 28, 2005 11:04 AM
                To: prasanta behera; saml-dev@xxxxxxxxxxxxxxxxxxxx
                Subject: RE: [saml-dev] SP --> IDP Auth
                
                
                 

                        SP wants to know if the user is authenticated or
not (status: Y or N) at the IDP?
                        How can I do that? 

                There is *NO* way to do this in SAML (1.0 or 2.0).
                 
                The other answer's I've seen all deal with answering the
question "Is the IdP willing to establish and/or share an authentication
session with the SP?' or from the SP's point of view "Please provide
whaterver authentication information you are allowed to provide for this
user?"
                 
                If everything works and all permissions are granted, the
SP finds out that the user is authenticated and that the IdP was willing
to share that information with the SP.  
                 
                If it doesn't work (for many different reasons) the SP
gets nothing.  So the SP can't tell if the user is authenticated or not
at the IdP when it gets nothing.
                 
                There are many cases where the user will be
authetnicated at an IdP where the SP cannot figure that out.
                 
                
                Conor