RE: [security-services] Comment on sstc-saml-glossary-2.0 (also c losesAI #0114)

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 3/12/2004, 5:36 PM:
 >
 > The SP can then participate in or ignore that relationship, but it
 > never puts anything in an AuthnRequest that distinguishes between an
 > existing one and a new one. I have not seen a need to make that
 > distinction in the spec.

Assuming we're talking about the same thing (that the SP needs to be
able to tell the IdP that it wants a new persistent relationship if
one doesn't already exist) -- it is needed.

The SP needs to be able to represent such an option to handle the case
where it has presented the user with an option to use their IDP
identity at the SP (e.g. the Passport button on Ebay) which is a
clear indicatation that the user wants the federation.

Of course, in such a case, the IdP can still confirm the federation
with the user, but will, in the right circumstances accept the SPs
request without needing additional confirmation and create the new
permanent relationship with the user.

Conor