Re: [saml-dev] SAML 1.1 Technical Overview (11 May 2004)

["Conor P. Cahill" <concahill@aol.com>]

Alistair Young wrote on 10/12/2004, 4:52 PM:

 > Would it be feasible to use an AuthenticationRequest to transport the
 > domain suffixed ID that the user enters on the destination site?

There isn't a standard way to do this, so the SPs and IdPs would need to
agree on how to transport it.  For example, you could include it in the
first section in the relay state (something that most IdPs would ignore)
or you add another field to the data being sent ot the IdP.

 > The Bodington VLE has a separate page for external logins, as opposed to
 > local students going about their normal studies.
 > If a user, 1324@uhi.ac.uk, enters this ID, no scope for entering a
 > password, in the VLE's external login page, theoretically, the next page
 > they see is their ID, removed of it's domain suffix and an exhortation to
 > prove who they are, i.e. enter their password.

While I think you could do this, I think it is even simpler for that
page to list the IdPs in HyperLinks so that the user would just have
to select the IdP from the page rather than having to type something
in.

I recommend against models where you ask the use even for portions of
their login credentials at a site that isn't supposed to validate
those credentials as this leads to complacency in how the user
protects those credentials (making it easier to Phish the user).

Of course, this depends on you knowing the IdPs that you ware willing
to work with, but I think that's a given anyway since I assume you
don't want to work with the IdP I have running down in my basement:-).


Conor