OpenSAML user discussion

[Scott Cantor <>]

> It seems that SAML Query should not be used as the first 
> authentication for any entity? Is this true? If so why?

Because as the spec makes clear, it's not designed to perform
authentication, it's a way of accessing assertions about authentication
after the fact. It actually has very little obvious use (to me anyway).

There is a protocol in the 2.0 draft that is at least the beginning of a
credentials collection operation that is appropriate to use for this, but it
doesn't generally put the user's credentials inside the message (the client
needs to know how to authenticate to the server) and it needs to be profiled
to make it work in an interoperable way for a particular purpose.

The new browser SSO profile will be layered on this protocol, hopefully.

-- Scott