OpenSAML user discussion

["Pantvaidya, Vishwajit" <>]

> -----Original Message-----
> From: Tom Scavo 
> [mailto:]
> Sent: Thursday, April 20, 2006 4:32 PM
> To: Pantvaidya, Vishwajit
> Cc: 
> 
> Subject: Re: SAML1.x or SAML2.x?
> 
> On 4/20/06, Pantvaidya, Vishwajit 
> <>
>  wrote:
> >
> > So basically looks like in our case the SAML assertion xml will be
> passed
> > through the URL parameters.
> >
> > I checked SAML 1.1 and 2.0 specs and it seems that 1.1 does not support
> this
> > scenario.
> 
> That's true, SAML 1.1 does not have an HTTPRedirect binding.  However,
> is there some reason why you can't use Browser/POST?
> 
Wouldn't browser post involve an additional click on the part of the user?
Or are you suggesting that the authenticating web-server do an HTTP POST to
us instead of a URL redirect?


> More importantly, SAML 1.1 does not support SP-first profiles.  Is
> there some reason why you can't just use Shibboleth (which defines an
> AuthnRequest profile)?  That sure would make your like easier. :-)
> 

My understanding is that we would not need SP-first profiles and
AuthnRequest. Our opening page itself redirects user to the authenticating
web-server URL - so I guess we would not send any AuthnRequest. Basically it
is almost as if the user logs on to the web-server which then redirects it
to our site. So my understanding is that we only need to process an inbound
assertion. Does this make sense?

But I am open to using Shibboleth if that makes my job easier. My only
requirement is to use SAML and as Shibboleth seems to be built on SAML, that
is okay.


Thanks,

Vish.