OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [security-services] Web SSO <AuthnRequest> conformance


Seems reasonable. Do you feel it will be added to the conf spec as MUST?

Tom.

-----Original Message-----
From: Conor P. Cahill [mailto:concahill@aol.com]
Sent: Tuesday, October 26, 2004 2:44 PM
To: Thomas Wisniewski
Cc: Scott Cantor; security-services@lists.oasis-open.org
Subject: RE: [security-services] Web SSO <AuthnRequest> conformance




Thomas Wisniewski wrote on 10/26/2004, 2:05 PM:

 > Scott, no, just HTTP Redirect.
 >
 > Using HTTP Post is not best alternative, as the IDP site is typically a
 > "protected" site that may require the user to provide their
 > credentials. If
 > HTTP Post is used, the caching of the <AuthnRequest> at the IDP site
 > (while
 > the user authenticates) adds additional work/overhead.  Versus using HTTP
 > Artifact.

You always have to cache the AuthnRequest at the IdP site if/when the
use authenticates.  The IdP can't determine if they need to authenticate
the user until the see the authnrequest (whether it comes in through
redirect, post, or artifact).

I would expect that most IdPs would *not* put their AuthnRequest
delivery location within the protected area of the site because
there are options on the AuthnRequest that prohibit the IdP from
interacting with the user.

Conor



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]