Public Comment

[comment-form@oasis-open.org]

Comment from: sean@smo.uhi.ac.uk

This comment is based upon sstc-saml-profiles-2.0-cd-02.pdf, which deals specifically with the proposed SAML profiles specification.

Section 4.3 (lines 1048-1100) of this draft specification deals with the Identity Provider Discovery Profile [IPDP].  I represent a project working towards enabling inter-institutional authorization and authentication for education; Our project recommends that another profile be included in the IPDP, a profile by which the principal brings their IDP with them, e.g. user@org.com, thereby indicating that there will be an IDP listening on www.org.com/SSO.

This second profile would allow several additional use cases. These include cases where cookies are disabled in the browser. It allows for greater flexibility, without depending on the browser to switch domains. It would provide for less complex implementations where small deploying groups only have a small number of interacting principals and IDPs, including point to point SAML transactions.