RE: [security-services] Comment on sstc-saml-glossary-2.0 (also c losesAI #0114)

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 3/12/2004, 7:45 PM:
 >
 > The SP isn't really affected either way, since he can throw the
 > value away even if the IdP does create it. The user obviously
 > is affected and should be able to tell the IdP "yes" or "no". I
 > don't see how putting a value in a request from the SP impacts
 > the user's ability to do this. It seemed to me to be a UI
 > optimization to allow the SP to ask the question and tell
 > the IdP what the user said, which is why I phrased it as a
 > consent distinction.

It's not just that.  It's that you're saying if an SP wants to perrform
an authentication check they must also initiate a federation whether
they want to or not.   While I think that many SPs will want to do
a federation, I think it is very bad to require that behavior in
the API.

If we're concerned about bytes on the request, then have a parameter
that indicates whether or not the SP wants to federate and have it
default to "true" if not specified.

Just to give a bit of history here, I'm the one who pushed Liberty to
have a combined auth & Fed request because of the optimization of
doing both in one call.  However I think it is very bad to force
that behavior.

Conor