saml-dev message

Subject: RE: [saml-dev] SAML 2.0 IsPassive option

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Peter Major <peter.major@forgerock.com>, "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Date: Tue, 10 May 2016 13:25:27 +0000

> theoretically such seemless authentication is still within the bounds of
> the isPassive definition. Such authentication methods could probably
> involve:
> * kerberos (as long as the 401 page is not being displayed to the
> end-user after failed login)

Which you can't generally guarantee.

> Cert based authn is also similar, but with that the browser will ask for
> the password of the private key, not sure if that qualifies as passive
> authn.

If the user sees anything (other than temporary transiting pages or redirects) but the site they started at, the IdP has violated the standard.

-- Scott

References:
- SAML 2.0 IsPassive option
  - From: Chiranga Alwis <chirangaalwis@gmail.com>
- Re: [saml-dev] SAML 2.0 IsPassive option
  - From: "Dieter Maurer" <dieter@handshake.de>
- Re: [saml-dev] SAML 2.0 IsPassive option
  - From: Chiranga Alwis <chirangaalwis@gmail.com>
- Re: [saml-dev] SAML 2.0 IsPassive option
  - From: Peter Major <peter.major@forgerock.com>