RE: [saml-dev] SP --> IDP Auth

["Jahan Moreh" <jmoreh@sigaba.com>]

Conor -

I agree and my response validates your statement that one needs to understand exactly what the SP is asking. I read the case Prasanta was inquiring about as in fact the SP asking "Hey is this person authenticated at your service".

 

Thanks,

Jahan

 

---

From: Cahill, Conor P [mailto:conor.p.cahill@intel.com]
Sent: Monday, November 28, 2005 11:59 AM
To: jmoreh@sigaba.com; prasanta behera; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SP --> IDP Auth

There's no way to ask that question either.  

 

The SP essentially says to the IdP "Hey, who is this person".   The SP can add on that request a flag that says "Hey, if you would need to interact with the user to answer that question, I (the SP) would prefer that you did not do so".  This flag (IsPassive) can cause the IdP to return "No" to the SP's request when it might otherwise have been able to say Yes (assuming the interaction would have been successful).

 

So one could argue in the case where the SP already has a relationship with the user, that the IsPassive query that fails could be interpreted as a "they haven't already authenticated" however, I would say that since they are not authenticated, the SP really doesn't know it is the user that they think it is, so again, they don't get information unless there is success.

 

The key in all of this discussion is understanding exactly what the SP is asking.  And it is much more along the lines of what I said above (SP says to IdP "Hey, who is this person").  The SP does not say "Hey is this person authenticated at your service" or "Did this person previously authetnicate at your service".

 

One might say I am splitting hairs, but I think the distinction is important.

 

Conor

---

From: Jahan Moreh [mailto:jmoreh@sigaba.com]
Sent: Monday, November 28, 2005 2:45 PM
To: Cahill, Conor P; 'prasanta behera'; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SP --> IDP Auth

If the idea is to get a precise "Yes or No" answer, I agree with Conor. But, if the intent is to know if the IdP has previously authenticated the user, then I think the SP can use an <AuthnQuery>.

 

Thanks,

Jahan

 

---

From: Cahill, Conor P [mailto:conor.p.cahill@intel.com]
Sent: Monday, November 28, 2005 11:04 AM
To: prasanta behera; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SP --> IDP Auth

 

SP wants to know if the user is authenticated or not (status: Y or N) at the IDP?
How can I do that? 

There is *NO* way to do this in SAML (1.0 or 2.0).

 

The other answer's I've seen all deal with answering the question "Is the IdP willing to establish and/or share an authentication session with the SP?' or from the SP's point of view "Please provide whaterver authentication information you are allowed to provide for this user?"

 

If everything works and all permissions are granted, the SP finds out that the user is authenticated and that the IdP was willing to share that information with the SP. 

 

If it doesn't work (for many different reasons) the SP gets nothing.  So the SP can't tell if the user is authenticated or not at the IdP when it gets nothing.

 

There are many cases where the user will be authetnicated at an IdP where the SP cannot figure that out.

 

Conor