[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] common domain cookie question
> Can someone clarify how this cookie is used? Very rarely because the profile doesn't scale terribly well. > If an SP is supposed to use the last-appended IdP doesn't this mean a > principle is effectively authenticated to only one IdP at a time? That's orthogonal, and the SP can do anything it likes the value in the cookie, particularly present it to the user as a "previously used" choice and not just silently rely on it. > 1. user logs into IdP #1 > 2. user can access SPs honoring authentication via IdP #1 > 3. user logs into IdP #2 > 4. user can access SPs honoring authentication via IdP #2 > > 5. user requests an SP honoring authentication via IdP #1 > 6. said SP retrieves the common domain cookie, extracts last entry (IdP #2) > and redirects browser to IdP #2 > 7. IdP #2 cannot authenticate the user for an SP requiring authentication > via IdP #1 If the SP required use of IdP#1, then why would it use IdP#2? The profile doesn't trump the reality of trust relationships. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]