OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SSO multiple SPs

That is not a part of spec. IdP can use any technique. Example, if its a WebSSO profile IdP uses a cookie/browser session to identify already authenticated browser session. It would then just create a new SAML Response and send it to the requesting party.

On Fri, Mar 14, 2014 at 11:50 AM, Security Developer <security.developer22@gmail.com> wrote:
Thanks for the answer. I have one last question please.

How does IDP know that it should not authenticate the user when SAML authentication request comes from second SP?

Thanks for your time.

On Fri, Mar 14, 2014 at 1:38 AM, Paul Hethmon <paul.hethmon@clareitysecurity.com> wrote:
Please reply to the list, not me personally.

On Mar 13, 2014, at 12:10 PM, Security Developer <security.developer22@gmail.com> wrote:

> Thanks for the clarification. Please bear with me, I have couple of more questions.
> If IDP choose to follow the path of returning SAML response containing SAML assertion silently (without user interaction) then
> - Will IDP return the same SAML assertion to second SP that was returned to first SP? If yes how would IDP know about it?

No, it will not be the same SAML Assertion. The assertion, among other things, contains information specific to the SP receiving it. So it will never be the "same" assertion. The IdP will construct the proper assertion for that SP.

> - How does Second SP know about the first SP?

The SP's will not know about each other via SAML.


Paul Hethmon
Chief Software Architect

To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]