RE: [saml-dev] Does John Doe actually have to hit a Submit button to send the encrypted Authentication Response to CarRentalInc?

["Cahill, Conor P" <conor.p.cahill@intel.com>]

 

Question: will John Doe actually have to hit a Submit button to send (POST) the Authentication Response to CarRentalInc?  In other words, from John Doe’s perspective he pressed the link, and the next thing he sees is an HTML form that is filled with a bunch of encrypted stuff.  Then John Doe is expected to press the Submit button, is that how it works? 

The common solution is to use the SAML artifact message which typically can be done totally within an HTTP Redirect message, requiring no user interaction.

 

If the IdP chooses to use the BrowserPost profile, they will typically include Javascript that automatically runs when the form is loaded in the browser and submits the form.  Of course, fi the user has javascript disabled (not too likely nowadays), the form will show as a button that must be selected by the user -- but that typically isn't an issue as most have javascript enabled.

Question: or, is there something that can be done (similar to an HTTP redirect) so that John Doe doesn’t see the encrypted Response being forwarded to CarRentalInc?  That is, is there a way for the unsolicited Response to be delivered to CarRentalInc “behind the scenes”, via John Doe’s browser? 

In neither case is the work done "behind the scenes" as the browser has to go to CarRentalInc and John should see that happen.  In the FormPost, the assertion data will typically be in a hidden field on the form so the user doesn't physically see it (and of course, in the artifact model they don't see it either).

 

Conor