Skip to Content.
Sympa Menu

mace-opensaml-users - Re: authentication questions

Subject: OpenSAML user discussion

List archive

Re: authentication questions


Chronological Thread 
  • From: Tom Scavo <>
  • To: "Garcia, Gene" <>
  • Cc:
  • Subject: Re: authentication questions
  • Date: Mon, 11 Jul 2005 16:45:48 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=bYHUuFwN3kt5jJlKJVzHWaR41AkiC9CBVeotCl67rJvLyCyykojxdjqrgSMAWuHCgFmmua7mHuINdE20/nR5jUu/yuA2iCg4lB4PB37i5nHKH2w4xnnYrHZ61eDYydzzbaHIoPoxrwMeVH2+DPfGHY/4gWt6tgmDK2O9DpNKj3E=
On 7/11/05, Garcia, Gene
<>
wrote:
>
> 1) Is there a way for a service provider to send an authentication request
> for an unidentified user? For a user that the third party knows nothing
> about, they'd need to send an authentication request with no subject.

I'm not sure I understand your question. The SAML 1.1 profiles are
IdP-first, so an authentication assertion is pushed from the IdP to
the SP. In other words, an SP-first browser profile is definitely not
a SAML 1.1 profile. You have to add some kind of authentication
request mechanism (like Shibboleth does) to handle the SP-first case.

Is that your question? How do you extend SAML 1.1 to handle SP-first
requests?

> In
> SAML2.0 that appears to be no problem, but in SAML1.1 (and hence, with
> opensaml) I don't see a way to do this. Am I missing something?

If you're asking how does SAML 1.1 handle SP-first requests, the
answer is it doesn't. See the Shibboleth browser profiles for
examples how this might be accomplished using SAML1 assertions, but
the SAML1 spec does not address this use case.

Tom

Archive powered by MHonArc 2.6.16.

Top of Page