[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Authentication Responses
philippe.beauchamp@bell.ca wrote on 2009-12-08: > We have a case where the Login Page at the Identity Provider may take the > user into other flows initiated by the user, such as registering for a new > credential. Is the IdP obligated to respond with a authentication response > to the SP? Eventually, yes, or you're feeding into the paranoia that some SPs have about "giving up control of the user". With SP-initiated SSO, the SP is telling the IdP to respond with an error or an assertion, and that's all we can say. > Under what situation(s) do I NOT have to respond back with a SAML response? It's a non-testable requirement, of which there are many. You have to apply reasonable judgement. Users can always choose to jump out at any point, but making that a likely outcome tends to result in a confusing overall user experience from the point of view of the SP. If somebody has to register in real time, that doesn't have to completely interrupt a login flow, except that identity vetting that ends up being asynchronous (e.g., email verification) tends to be impossible to coordinate well from what I've seen. Really, federation should reduce that need. If we have to constantly walk users through account registration in a federation scenario, that's a red flag for the deployment. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]