OpenSAML user discussion

["Tom Scavo" <>]

On 4/20/06, Pantvaidya, Vishwajit 
<>
 wrote:
>
> Wouldn't browser post involve an additional click on the part of the user?

One line of JavaScript will auto-submit the form.

> Or are you suggesting that the authenticating web-server do an HTTP POST to
> us instead of a URL redirect?

Through the browser, yes.  This is Browser/POST, defined in both SAML
1.1 and SAML 2.0.

> > More importantly, SAML 1.1 does not support SP-first profiles.  Is
> > there some reason why you can't just use Shibboleth (which defines an
> > AuthnRequest profile)?  That sure would make your like easier. :-)
>
> My understanding is that we would not need SP-first profiles and
> AuthnRequest.

The scenario you outlined previously requires an SP-first profile.  If
you start at the SP, it's called SP-first.

> Our opening page itself redirects user to the authenticating
> web-server URL - so I guess we would not send any AuthnRequest.

Okay, maybe I'm misunderstanding you.  Is the opening page at the SP or the 
IdP?

> Basically it
> is almost as if the user logs on to the web-server which then redirects it
> to our site. So my understanding is that we only need to process an inbound
> assertion. Does this make sense?

Yes, I think so.

> But I am open to using Shibboleth if that makes my job easier. My only
> requirement is to use SAML and as Shibboleth seems to be built on SAML, that
> is okay.

Then you need to switch over to 
shibboleth-users@internet2
 :-)  There
are volumes of documentation for you to read.  Perhaps you might like
to start here:

http://shibboleth.internet2.edu/docs/draft-mace-shibboleth-tech-overview-latest.pdf

Hope this helps,
Tom