OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: AuthnRequest and isPassive=true

Title: AuthnRequest and isPassive=true

isPassive=true was intended to be used by a Relying Party when they would like to know who you are, but not  enough to ask the IdP to actually interact with the user.  If the IdP doesn’t have an existing session with the user or has not already gotten permission to send an assertion to the RP, the IdP is expected to respond with an “I don’t know” to the RP.  So you can see it as an RP indicator to the IdP that the RP doesn’t want the IdP to prompt the user for credentials/permission.


This allows an RP to do something like saying “Welcome Conor” and giving me a user customized home page without the need for me to authenticate to get it.   Sort of like what happens when you go to Amazon, but without the need for a cookie.




From: Paul Hethmon [mailto:paul.hethmon@clareitysecurity.com]
Sent: Monday, September 13, 2010 5:30 PM
To: SAML Dev
Subject: [saml-dev] AuthnRequest and isPassive=true


Is there any commentary expanding on the spec in what isPassive=”true” means? Or is meant to mean?

The description of “not visibly taking control” seems a bit ambiguous. Does that mean the login screen should mimic the service provider site? Does that mean return an error otherwise?



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]