List Home All Archives Dates Threads Authors Subjects
saml-dev - RE: [saml-dev] SP --> IDP Auth Message Thread: Previous | Next
  • From: "Jahan Moreh" <>
  • To: "'Cahill, Conor P'" <>,"'prasanta behera'" <>,<>
  • Date: Mon, 28 Nov 2005 11:44:42 -0800
Send Email to
Send new message
Reply to this message
If the idea is to get a precise "Yes or No" answer, I agree with Conor. But, if the intent is to know if the IdP has previously authenticated the user, then I think the SP can use an <AuthnQuery>.

From: Cahill, Conor P []
Sent: Monday, November 28, 2005 11:04 AM
To: prasanta behera;
Subject: RE: [saml-dev] SP --> IDP Auth

SP wants to know if the user is authenticated or not (status: Y or N) at the IDP?
How can I do that? 
There is *NO* way to do this in SAML (1.0 or 2.0).
The other answer's I've seen all deal with answering the question "Is the IdP willing to establish and/or share an authentication session with the SP?' or from the SP's point of view "Please provide whaterver authentication information you are allowed to provide for this user?"
If everything works and all permissions are granted, the SP finds out that the user is authenticated and that the IdP was willing to share that information with the SP. 
If it doesn't work (for many different reasons) the SP gets nothing.  So the SP can't tell if the user is authenticated or not at the IdP when it gets nothing.
There are many cases where the user will be authetnicated at an IdP where the SP cannot figure that out.


By Date: Previous | Next Current Thread By Thread: Previous | Next

  Mail converted by the most-excellent MHonArc 2.6.10