OpenSAML user discussion

["Garcia, Gene" <>]

Ok, thanks Bob and Tom.
I was getting lost between SAML 1.1 and 2.0. In SAML 2.0 there's an 
AuthnRequest as well as a profile defined for this.
So in 1.1, it looks like the request sent to the IdP just contains a "Target" 
parameter without an accompanying SAMLRequest. That's unfortunate. There's a 
lot that the AuthnRequest allows for that is apparently just not possible 
with SAML 1.1.

-Gene

-----Original Message-----
From: Tom Scavo 
[mailto:]
Sent: Monday, July 11, 2005 4:46 PM
To: Garcia, Gene
Cc: 

Subject: Re: authentication questions


On 7/11/05, Garcia, Gene 
<>
 wrote:
>  
> 1) Is there a way for a service provider to send an authentication request
> for an unidentified user? For a user that the third party knows nothing
> about, they'd need to send an authentication request with no subject. 

I'm not sure I understand your question.  The SAML 1.1 profiles are
IdP-first, so an authentication assertion is pushed from the IdP to
the SP.  In other words, an SP-first browser profile is definitely not
a SAML 1.1 profile.  You have to add some kind of authentication
request mechanism (like Shibboleth does) to handle the SP-first case.

Is that your question?  How do you extend SAML 1.1 to handle SP-first 
requests?

> In
> SAML2.0 that appears to be no problem, but in SAML1.1 (and hence, with
> opensaml) I don't see a way to do this. Am I missing something? 

If you're asking how does SAML 1.1 handle SP-first requests, the
answer is it doesn't.  See the Shibboleth browser profiles for
examples how this might be accomplished using SAML1 assertions, but
the SAML1 spec does not address this use case.

Tom