OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] SAML 2.0 IsPassive option


Hi Dieter,

first of all thanks for the answer. 

In addition, to what you have mentioned I came across this alternative usage of this property (from another source) which enables the Service Provider to ask the IdP to basically "authenticate this user only if you can do it without the having the user involved". This seems to map with the spec definition provided for the 'IsPassive' property under discussion. Is this a valid usage and what does it accurately mean in a real-world scenario?  



On Tue, May 10, 2016 at 1:18 PM, Dieter Maurer <dieter@handshake.de> wrote:
Chiranga Alwis wrote at 2016-5-10 10:43 +0530:
>I am a fresh user to SAML 2.0.
>
>When working on an Apache Tomcat SAML 2.0 based single-sign-on (SSO) valve,
>I came across the property named 'IsPassive' under SAML 2.0 Authentication
>Requests. The SAML 2.0 spec introduces this as follows:
>
>IsPassive [Optional] A Boolean value. If "true", the identity provider and
>the user agent itself MUST NOT visibly take control of the user interface
>from the requester and interact with the presenter in a noticeable fashion.
>If a value is not provided, the default is "false".

You can use "IsPassive" when you want to check whether the
user is already authenticated with the identity provider
and do not want under any circumstance that the identity provider
issues a login dialog.


One of the scenarios where this may be interesting is the
"identity provider iniated authentication". In this scenario,
the user first logs in with the identity provider and only then
switches to the service provider. The service provider can use
"IsPassive" to verify that the user has followed this procedure.

Another scenario may look as follows:
Assume there are a set potential identity providers for a given user.
The service provider may ask the set of those identity providers
with the "IsPassive" to check whether some of those already has
identified the user. Only if none has, it may present a list
of identity providers from which the user choses one to really log in.



--
Dieter



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]