[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Re: Metadata, IdP Disco, AuthnRequest, etc...
> Agreed, and I think multi-federation SPs will be common enough that > the limitations of the current IdP disco will be felt. Maybe I'm > wrong there -- what has your experience been? I generally believe that discovery is always required either in the SP or as part of a cluster of related SPs. It's SP-centric, not IdP-centric, and federations are IdP-centric in many cases. > I agree that for best general experience, the SP should handle IdP > selection, but in the absence of a workable "global cookie" solution, > I'm not sure how annoying that would be (ie, to select your IdP at > each SP you visit, though I suppose an initial passive probe would > solve that problem for sites after the first one; you run the risk of > having to do umpteen bazillion redirects, though). Yep. I'm simply saying that it's pointless to keep arguing about it...if people think that alone is enough to kill browser-based SSO, then kill it. It's not going to get fixed, there is no global cookie. Personally, I believe a few UI "experts" are deciding what is acceptable for the rest of us and need to get out of the way so we can try more things. > The best thing would be to use some bit of browser (or other client, > in the non-web world) plugin to determine, and fall back to SP- > implemented asking, but that would be... difficult at the least to > get people to buy in on, unless the browser (and other client) > producers also buy in. I'm saying it's not a question of best, that's the only way to do it. The alternative is OpenID-style, you enter the IdP at the SP. There's no other solution I can see. That works fine with SAML, but it's been a longstanding point of mine that the SAML side seems to dismiss that option while OpenID seems to presume that option. Somebody's wrong about what is "acceptable". > Getting people to remember what an Onyen (or NetID, or whatever an > institution calls it) is is hard enough. Making them remember that > if they're at site X to choose federation Y, but at Z choose W is not > really feasible. I think, anyway. I agree, I think it has to be IdP-centric, and failing that geographic. Mostly I think a lot of us are talking out of our butt and need to just deploy it and stop using discovery as an excuse. If a few clicks is more than users can handle, we're wasting our time. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]