[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: When does an IdP know that a user has successfully federated with an SP?
SAML 2.0 includes a number of different components that convey identifiers from IdP to SP, or, from SP to IdP. The goal here is more than informational; the interest lies in synchronizing state --- one party is informing another --- change your internal tables with this new information. For this to be of value, there must be a way for initiators to understand when this type of state change has succeeded (or failed) at the destination. But this part seems to me very unclear or at least extremely underspecified in the current flows. Consider, for example, the AuthNRequest/Response pair. A user visits an SP and is re-directed to an IdP with <NameIDPolicy> set to AllowCreate. A new identifier is created and is returned with the Assertion to the SP. However, there is a failure at this point and the SP does not consume this identifier. The IdP has no knowledge of this failure. From its point of view, it would presumably allow the user to defederate from the SP in the very next step. When such a step is attempted, and the user does arrive at the SP with a completely unknown identifier, the potential for administrative confusion seems quite large. Another possibility is that the IdP will may use one of the Name Identifier update methods to rollover the (non-existent) identifier at the SP. I guess my question reduces to the following: is there much point to a system of state propagation in which success or failure of state update remains unknown?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]