OpenSAML user discussion

["Tom Scavo" <>]

On 4/20/06, Pantvaidya, Vishwajit 
<>
 wrote:
>
> > Is the opening page at the SP or the IdP?
>
> Sorry for the confusion - opening page has a frameset and self-service frame

As an aside, try to avoid frameset documents, which are a pain.

> that is returned from the SP but the login screen is returned from the IdP.

So the opening page is at the SP, which implies SP-first.

> So the user's login request gets submitted to the IdP which then
> authenticates and sends the result to the SP.

How does the IdP know the target SP?  In an SP-first scenario, the
SP's identifier is called out in the AuthnRequest.  In an IdP-first
situation, the location of the SP (and all SPs!) is known to the IdP
up front.  At the IdP, the user is presented with a list of links, one
for each SP it recognizes.  The form of these links is specified
precisely by the SAML spec.

I claim that almost everybody uses an SP-first profile these days. 
That's why IdP discovery has become such an important issue.

> So my understanding is that I
> only need to accept the assertion and process it at the SP i.e. I hopefully
> do not need to send out an auth request.

Well, it's not that big of a deal if you use Shibboleth since it
supports SP-first profiles out of the box.  On the other hand, SAML
1.1 does not, so interop with vendor software is sometimes tricky. 
Sounds like you control all endpoints in your use case, however, so
Shibboleth seems like a good bet.

Tom