Re: [security-services] Re: Proposed Agenda for SSTC Call (May 18,2010)

[Nate Klingenstein <ndk@internet2.edu>]

>I don't know if that's what Ari had in mind, but I was struggling to reconcile the follow on Response.

From my recollection, the goal Phil had in mind is to allow the SP to reconcile its own information with the operation results at the IdP, e.g. supplying an identifier in the other direction so the SP can update its own representation of the user, possibly creating pairwise persistent pseudonyms.  Is there another way you'd prefer that the IdP signal to the SP that the create operation was successful, or do you feel there is no need to relay that information?

Sleeping on it, I did think of a concern in using an AuthnRequest with an assertion in an extension.  Since all extensions are considered non-critical in SAML, how would you distinguish between an IdP that understood the entire request and submitted a response that success had been achieved, versus a (potentially poorly implemented) IdP that was able to authenticate the user somehow and just processed the AuthnRequest per usual and sent a Response back to the SP?

Modeling the flows with an unsolicited response with an embedded AuthnRequest in an extension would seem to me a safer way to ensure that the provider really understands what it has received and what it's supposed to do with it.