OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] I have created a sample SSO scenario; Am I understanding correctly how SAML is to be used?

On 5/9/06, Cahill, Conor P <conor.p.cahill@intel.com> wrote:
> > Of course the problem with this (and nearly all SP-first
> > scenarios) is IdP discovery.  How does the SP know the
> > principal's preferred IdP?
> That's an issue whether or not one knows who the user is.

I'm not following you, Conor.  I know you know what IdP discovery is
:-) but let me state it here so Roger understands the point I'm trying
to make.  IdP discovery is a consequence of SP-first profiles.  The SP
must decide where to send the AuthnRequest, and often that boils down
to an interaction with the user.

> But of
> course, there are many different solutions to discovery and it
> probably has the largest impact on the first access to the SP.

This assumes a stateful SP.  Regardless, the SP must determine the
user's preferred IdP, and often this requires interaction with the
user (yuk).  The SP can try to guess, but this is difficult, even with
perfect knowledge of the user's past history.

> if the
> car rental company is only worried about people coming from the
> airlines, then it won't matter to them and unsolicited authn response
> is fine.  However, if they want to encourage direct access, even
> for users who use the airline as an IdP, the would probably want
> to support the full authnrequest model.

Agreed.  The car rental company will want to support both profiles. 
If some users first arrive at the SP with authn assertion in hand, so
much the better.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]