RE: [saml-dev] Authentication Responses

["Scott Cantor" <cantor.2@osu.edu>]

philippe.beauchamp@bell.ca wrote on 2009-12-08:
> We have a case where the Login Page at the Identity Provider may take the
> user into other flows initiated by the user, such as registering for a new
> credential.  Is the IdP obligated to respond with a authentication
response
> to the SP?

Eventually, yes, or you're feeding into the paranoia that some SPs have
about "giving up control of the user". With SP-initiated SSO, the SP is
telling the IdP to respond with an error or an assertion, and that's all we
can say.

> Under what situation(s) do I NOT have to respond back with a SAML
response?

It's a non-testable requirement, of which there are many. You have to apply
reasonable judgement. Users can always choose to jump out at any point, but
making that a likely outcome tends to result in a confusing overall user
experience from the point of view of the SP.

If somebody has to register in real time, that doesn't have to completely
interrupt a login flow, except that identity vetting that ends up being
asynchronous (e.g., email verification) tends to be impossible to coordinate
well from what I've seen. Really, federation should reduce that need. If we
have to constantly walk users through account registration in a federation
scenario, that's a red flag for the deployment.

-- Scott