OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML & establishing an SSO connection

Imagine we want to have SSO between Site A and Site B, and the normal usage is for Site A to be the IdP, and Site B to be the SP.


However, before the “connection” is established between these sites for a particular principal, Site A and B don’t have any common information about the principal to agree upon. They don’t want to use a back-channel, so they need a use case to establish a common identifier.


Could this type of “establishing connection” be done as a regular SSO login (either unsolicited Response from IdP, or AuthnRequest from SP to IdP and then Response back to SP), except that:

-          When the SP realizes it doesn’t recognize the identifying info in the Assertion, it prompts for authentication (e.g. login form).

-          Then, assuming authentication was successful, the SP stores the identifying info from the Assertion ( it could simply be random persistent name identifier that was generated by the IdP).

Now the SP can always figure out the user/principal based on the IdP’s identifying info, so future SSO logins can skip the above.


Would that be considered a “normal” way of establishing connection?


What about switching it around? i.e. for the purpose of establishing connection, Site B could act as the IdP and send its identifying info (such as Site B-generated persistent name identifier) to Site A in a Response. Site A would then store this info so that it can use it in future SSO logins, when it is acting as the IdP. Is this reasonable?



michael lucas  |  Senior Software Developer  |  Great-West Life

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]