OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Web SSO <AuthnRequest> conformance

Thomas Wisniewski wrote on 10/26/2004, 2:05 PM:

 > Scott, no, just HTTP Redirect.
 > Using HTTP Post is not best alternative, as the IDP site is typically a
 > "protected" site that may require the user to provide their
 > credentials. If
 > HTTP Post is used, the caching of the <AuthnRequest> at the IDP site
 > (while
 > the user authenticates) adds additional work/overhead.  Versus using HTTP
 > Artifact.

You always have to cache the AuthnRequest at the IdP site if/when the
use authenticates.  The IdP can't determine if they need to authenticate
the user until the see the authnrequest (whether it comes in through
redirect, post, or artifact).

I would expect that most IdPs would *not* put their AuthnRequest
delivery location within the protected area of the site because
there are options on the AuthnRequest that prohibit the IdP from
interacting with the user.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]