[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] [SAML 2.0] 2-SPs 2-IDPs communication issues
On Tue, Jun 24, 2008 at 4:15 AM, Enrique Cornago Mora <ecornagomora@gmail.com> wrote: > > 1) If there is no Identity Provider Discovery available, how can it be achieved? Just because the spec doesn't require a particular form of IdP Discovery, doesn't mean it's not important. In fact, IdP Discovery continues to be one of the most important unsolved problem associated with cross-domain web browser SSO. Don't expect any easy answers. Some options include: - The SAML V2.0 IdP Discovery Profile (that you allude to) - The Identity Provider Discovery Service Protocol and Profile: http://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile - The "Where Are You From?" service (used by the InCommon Federation and other federations based on Shibboleth): http://www.incommonfederation.org/metadata.html - Auto-Connect from Ping: https://mail.internet2.edu/wws/arc/shibboleth-users/2008-06/msg00462.html > 2) Should the first SP send some session information to this second > SP? In case the user clicks in a link, it will not be a problem. > However, if he uses either a bookmark or he just writes the new URL > there is no way to send any information, right? This is not the SP's job. It is up to each and every SP to figure out how to do IdP Discovery on its own. The SPs in a federation may share an IdP Discovery service (such as the WAYF above) but there's no requirement that they do so. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]