OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SAML & establishing an SSO connection

On 12/9/14, 6:05 PM, "Lucas, Mike" <Mike.Lucas@gwl.ca> wrote:

>Could this type of “establishing connection” be done as a regular SSO 
>login (either unsolicited Response from IdP, or AuthnRequest from SP to 
>IdP and then Response back to SP), except that:
>When the SP realizes it doesn’t recognize the identifying info in the 
>Assertion, it prompts for authentication (e.g. login form).
>Then, assuming authentication was successful, the SP stores the 
>identifying info from the Assertion ( it could simply be random 
>persistent name identifier that was generated by the IdP).

Yes, that's the original Liberty "federation" use case idea back when 
account linking between vendors was a dominant use case. Much of the 
policy signaling in the SAML spec that rarely if ever gets used was put 
there because of that use case.

>Would that be considered a “normal” way of establishing connection?

It's not terribly common in practice because federation has tended to be 
among organizations operating in more clearly defined roles, and not a 
consumer thing.

>What about switching it around? i.e. for the purpose of establishing 
>connection, Site B could act as the IdP and send its identifying info 
>(such as Site B-generated persistent name identifier)
> to Site A in a Response. Site A would then store this info so that it 
>can use it in future SSO logins, when it is acting as the IdP. Is this 

Not in my opinion, but that's what SPProvidedID is for.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]