RE: [security-services] Comment on sstc-saml-glossary-2.0 (also c losesAI #0114)

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 3/13/2004, 5:24 PM:


 > My view is merely that "please tell me who the user is" is either
 > fulfilled or not. "Establish a connection" seems like a secondary
 > interpretation of the result of (a) during a particular response
 > that is beyond the  scope of the protocol.

"Establish a connection" is equivalent to "create a federation" and
this is significant (othherwise why the heck are we concerning
ourselves with the whole concept of federation).

Behind the request to "create a federation" there are legal,
moral, and I'm sure privacy related issues such that the SP
has to be in control of whether or not that operation is
initiated and it needs to be kept distinct from the ability
to perform an authentication request.

Simplest use case:  user goes to protected resource at SP, SP
sees in the common domain cookie (shared with the IdP) that the
user has previosly (perhaps not this "session") authenticated
with the IdP, so the SP performs an authentication request.  The
SP doesn't mind that the user gets prompted for authentication
credentials, but so far the user has done nothing to indicate that
they want their identity federated with the SP, so the SP does
not want said authentication request to include a federation
request.

 > However, I will add a Federate flag to samlp:NameIDPolicy to meet your
 > requirement the next time the request protocol is updated.

Thank you.

Conor