Subject: RE: [saml-dev] SSO Browser profile question

You can also store the data internally at the SP and then correlate the AuthnRequest ID to the Response InResponseTo value.
-----Original Message-----
From: Cahill, Conor P [mailto:conor.p.cahill@intel.com]
Sent: Tuesday, June 13, 2006 10:29 AM
To: Goelen, Jurgen; saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] SSO Browser profile question

a) SAML provides for relay state information to be passed in the authnrequest and returned in the Response.
b) The SP can store it's own information in the browser (via cookie) prior to sending the user to the IdP and use this information when the IdP sends the browser back.

From: Goelen, Jurgen [mailto:jurgen.goelen@siemens.com]
Sent: Tuesday, June 13, 2006 10:24 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] SSO Browser profile question

Hello *,


Which mechanisms does SAML provide for maintaining the state between the initial resource request of the User Agent and the actual response of the SP? (SSO Browser profile). I will clarify my question with a small example:


A User Agent accesses a resource on an SP for which it has no security context:


  1. UA requests a resource on the SP.
  2. SP responds with an <AuthnRequest>. (-> no security context)
  3. <AuthnRequest>gets redirected to the IdP.
  4. IdP redirects an assertion about the Principal to the SP.
  5. SP responds to UA. (-> requested resource)


Which SAML mechanisms can be used by an SP to correlate the initial resource request (step 1) with the redirected assertion (step 4)? In other words, how does the SP know which resource it has to provide based on the response of the IdP?


Best regards,


Jurgen Goelen


