Re: [saml-dev] [SAML 2.0] 2-SPs 2-IDPs communication issues

["Tom Scavo" <trscavo@gmail.com>]

On Tue, Jun 24, 2008 at 4:15 AM, Enrique Cornago Mora
<ecornagomora@gmail.com> wrote:
>
> 1) If there is no Identity Provider Discovery available, how can it be achieved?

Just because the spec doesn't require a particular form of IdP
Discovery, doesn't mean it's not important.  In fact, IdP Discovery
continues to be one of the most important unsolved problem associated
with cross-domain web browser SSO.  Don't expect any easy answers.

Some options include:

- The SAML V2.0 IdP Discovery Profile (that you allude to)
- The Identity Provider Discovery Service Protocol and Profile:
http://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile
- The "Where Are You From?" service (used by the InCommon Federation
and other federations based on Shibboleth):
http://www.incommonfederation.org/metadata.html
- Auto-Connect from Ping:
https://mail.internet2.edu/wws/arc/shibboleth-users/2008-06/msg00462.html

> 2) Should the first SP send some session information to this second
> SP? In case the user clicks in a link, it will not be a problem.
> However, if he uses either a bookmark or he just writes the new URL
> there is no way to send any information, right?

This is not the SP's job.  It is up to each and every SP to figure out
how to do IdP Discovery on its own.  The SPs in a federation may share
an IdP Discovery service (such as the WAYF above) but there's no
requirement that they do so.

Tom