OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: When does an IdP know that a user has successfully federated with an SP?

SAML 2.0 includes a number of different components that convey identifiers
from IdP to SP, or, from SP to IdP. The goal here is more than
informational; the interest lies in synchronizing state --- one party is
informing another --- change your internal tables with this new information.

For this to be of value, there must be a way for initiators to understand
when this type of state change has succeeded (or failed) at the destination.
But this part seems to me very unclear or at least extremely underspecified
in the current flows.

Consider, for example, the AuthNRequest/Response pair. A user visits an SP
and is re-directed to an IdP with <NameIDPolicy> set to AllowCreate. A new
identifier is created and is returned with the Assertion to the SP. However,
there is a failure at this point and the SP does not consume this

The IdP has no knowledge of this failure. From its point of view, it would
presumably allow the user to defederate from the SP in the very next step.
When such a step is attempted, and the user does arrive at the SP with a
completely unknown identifier, the potential for administrative confusion
seems quite large. Another possibility is that the IdP will may use one of
the Name Identifier update methods to rollover the (non-existent) identifier
at the SP. 

I guess my question reduces to the following: is there much point to a
system of state propagation in which success or failure of state update
remains unknown?

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]