[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: IdP Discovery
I keep forgetting to bring this up -- I was just reminded of it again so I'm seizing the opportunity. Currently, in the IdP Discovery section of saml-profiles-2.0, we don't specify whether the cookie _saml_idp should be a session cookie or a persistent cookie. There are two use cases I have seen for using IdP Discovery, and they are not compatible: 1) The presence of an IdP in the _saml_idp cookie indicates that the user has a valid session with the IdP, implying that an SP might use that IdP for seamless SSO. This use case requires that the _saml_idp cookie is a session cookie. 2) The presence of an IdP in the _saml_idp cookie indicates that the user has an account with the IdP, but not necessarily an active session. This use cases requires that the _saml_idp cookie is a persistent cookie. The current specs support both use cases, obviously, but it's a nightmare for deployers to ensure that all participants are managing cookies according to the same policy. It would be good at a minimum to have some discussion of this somewhere, so that implementers / deployers are at least aware that they need to coordinate on this point. Better, I think, would be if we had metadata to describe a "common domain" or "circle of trust" that could communicate these options. Even better, would be if we had separate cookies for the two use cases so that they could co-exist. -Greg
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]