[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Web SSO <AuthnRequest> conformance
Seems reasonable. Do you feel it will be added to the conf spec as MUST? Tom. -----Original Message----- From: Conor P. Cahill [mailto:concahill@aol.com] Sent: Tuesday, October 26, 2004 2:44 PM To: Thomas Wisniewski Cc: Scott Cantor; security-services@lists.oasis-open.org Subject: RE: [security-services] Web SSO <AuthnRequest> conformance Thomas Wisniewski wrote on 10/26/2004, 2:05 PM: > Scott, no, just HTTP Redirect. > > Using HTTP Post is not best alternative, as the IDP site is typically a > "protected" site that may require the user to provide their > credentials. If > HTTP Post is used, the caching of the <AuthnRequest> at the IDP site > (while > the user authenticates) adds additional work/overhead. Versus using HTTP > Artifact. You always have to cache the AuthnRequest at the IdP site if/when the use authenticates. The IdP can't determine if they need to authenticate the user until the see the authnrequest (whether it comes in through redirect, post, or artifact). I would expect that most IdPs would *not* put their AuthnRequest delivery location within the protected area of the site because there are options on the AuthnRequest that prohibit the IdP from interacting with the user. Conor
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]