[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SAML 1.1 Technical Overview (11 May 2004)
Alistair Young wrote on 10/12/2004, 4:52 PM: > Would it be feasible to use an AuthenticationRequest to transport the > domain suffixed ID that the user enters on the destination site? There isn't a standard way to do this, so the SPs and IdPs would need to agree on how to transport it. For example, you could include it in the first section in the relay state (something that most IdPs would ignore) or you add another field to the data being sent ot the IdP. > The Bodington VLE has a separate page for external logins, as opposed to > local students going about their normal studies. > If a user, 1324@uhi.ac.uk, enters this ID, no scope for entering a > password, in the VLE's external login page, theoretically, the next page > they see is their ID, removed of it's domain suffix and an exhortation to > prove who they are, i.e. enter their password. While I think you could do this, I think it is even simpler for that page to list the IdPs in HyperLinks so that the user would just have to select the IdP from the page rather than having to type something in. I recommend against models where you ask the use even for portions of their login credentials at a site that isn't supposed to validate those credentials as this leads to complacency in how the user protects those credentials (making it easier to Phish the user). Of course, this depends on you knowing the IdPs that you ware willing to work with, but I think that's a given anyway since I assume you don't want to work with the IdP I have running down in my basement:-). Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]