OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] IDP to receive an unsolicit authresponse

Title: IDP to receive an unsolicit authresponse
Any entity in SAML can participate as different actors across different transactions.  So an IdP in one COT can also be an SP in another COT.   In your case, IdP A is an IdP in COTa and IdPb is an SP (say SPa) in COTa but an IdP (say IdPb) in COTb.  So yes, IdPa can send an unsolicited authnResp to SPa.  SPa can then act as IdPb and provide assertions to entities within COTb based upon the authentication performed at IdPa.  
 
The <ProxyRestriction> is an element that IdPa can use to control what SPa/IdPb is allowed to do based upon the assertion issued by IdPa.
 
As far as IdPa going to SPb, I think what would happen is that IdPa would not send an assertion to SPb since SPb is not in IdPa's COTa, so either a) IdPa would send you to some form of redirect URL at SPa/IdPB (assuming IdPa knows that SPb will accept assertions from IdPb or b) IdP a sends you to SPb with no authn info, SPb does IdP discovery and discovers IdPb and sends AuthnRequest to IdPb, IdPb then does IdP discovery and sends authnrequest to IdPa and voila you get authenticated through indirection to SPb.
 
Conor

From: Giuseppe Sarno [mailto:gsarno@nortel.com]
Sent: Monday, March 13, 2006 6:49 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] IDP to receive an unsolicit authresponse

Hi,
I haven't seen this in the profiles but I was wondering whether makes sense for an IDP to receive an
Auth response from may be another IDP.

I was wondering if there are 2 enterprices (A and B) in a trust relationship both providing 1 IDP (IDP A and IDP B)
If IDP A web portal provides a link to IDP B and I just logged into IDP A and tried to follow the link to IDPB,
Wouldn't make sense for IDP A to send an Authresponse to IDP B ?

Also If I had a link from IDP A to SP B (service provider in B) and I tried to follow this link,
SP B would probably receive an Auth Response from IDP A but shouldn't some how the IDP B be notified about this ?

What do you think ?

Thanks.
Giuseppe.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]