OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Re: Metadata, IdP Disco, AuthnRequest, etc...

> Agreed, and I think multi-federation SPs will be common enough that
> the limitations of the current IdP disco will be felt.  Maybe I'm
> wrong there -- what has your experience been?

I generally believe that discovery is always required either in the SP or as
part of a cluster of related SPs. It's SP-centric, not IdP-centric, and
federations are IdP-centric in many cases.

> I agree that for best general experience, the SP should handle IdP
> selection, but in the absence of a workable "global cookie" solution,
> I'm not sure how annoying that would be (ie, to select your IdP at
> each SP you visit, though I suppose an initial passive probe would
> solve that problem for sites after the first one; you run the risk of
> having to do umpteen bazillion redirects, though).

Yep. I'm simply saying that it's pointless to keep arguing about it...if
people think that alone is enough to kill browser-based SSO, then kill it.
It's not going to get fixed, there is no global cookie.

Personally, I believe a few UI "experts" are deciding what is acceptable for
the rest of us and need to get out of the way so we can try more things.

> The best thing would be to use some bit of browser (or other client,
> in the non-web world) plugin to determine, and fall back to SP-
> implemented asking, but that would be... difficult at the least to
> get people to buy in on, unless the browser (and other client)
> producers also buy in.

I'm saying it's not a question of best, that's the only way to do it. The
alternative is OpenID-style, you enter the IdP at the SP. There's no other
solution I can see. That works fine with SAML, but it's been a longstanding
point of mine that the SAML side seems to dismiss that option while OpenID
seems to presume that option. Somebody's wrong about what is "acceptable".
> Getting people to remember what an Onyen (or NetID, or whatever an
> institution calls it) is is hard enough.  Making them remember that
> if they're at site X to choose federation Y, but at Z choose W is not
> really feasible.  I think, anyway.

I agree, I think it has to be IdP-centric, and failing that geographic.

Mostly I think a lot of us are talking out of our butt and need to just
deploy it and stop using discovery as an excuse. If a few clicks is more
than users can handle, we're wasting our time.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]