OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] returning multiple IdP entityIDs to the SP

On Aug 18, 2012, at 2:11 PM, "Tom Scavo" <trscavo@gmail.com> wrote:

> I assume you mean a discovery service is precisely the default
> behavior you've specified in the profile
> (urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single).
> Is that what you meant?

I mean that presenting a choice of IDPs to the user is a DS, so I didn't see the point of returning multiple choices from a...DS.

> If so, then let me ask: Suppose there were a 3rd party service that
> returned a list of the user's IdPs (i.e., the value of the "_saml_idp"
> cookie as defined in SAML2Prof). Would you call that a "discovery
> service"?

No. I'd call it a cookie service, I guess.

> That statement is a little strong, I think. An SP that wants to do
> discovery itself can still benefit from a 3rd party service that knows
> about the user's global behavior.

I wouldn't really call it discovery, and then there are the basic problems with relying on supposedly "global" services. There isn't a place to put it.

> In that case, your profile could be used passively to obtain this information, which presumably would be used to optimize the UI at the SP.

I suppose, but the primary value would probably be less the protocol and more things like the metadata controlling access to the cookie. And frankly people that want to pursue the global domain concept don't tend to think that it's worth limiting access to the cookie anyway.

-- Scott 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]