Skip to Content.
Sympa Menu

mace-opensaml-users - Re: SAML1.x or SAML2.x?

Subject: OpenSAML user discussion

List archive

Re: SAML1.x or SAML2.x?


Chronological Thread 
  • From: "Tom Scavo" <>
  • To: "Pantvaidya, Vishwajit" <>
  • Cc:
  • Subject: Re: SAML1.x or SAML2.x?
  • Date: Fri, 21 Apr 2006 14:56:08 -0400
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=lzxQLmoRXNam586lsvZjhaBbXFgwwpR/KP37fW3ANAmJXTYa291SxqBAiaFAQg8U7XI3MmIxvdd7L9wZ+GDJMsVXsDAulQD3sVyFJvyOOYl45G0ZBmoJpuHuGL+ci9UcYcJylxAlIHHpUW8UAnQKm33S3gSFOXMlTiVafdTktDE=

[We probably should move this discussion to shibboleth-users and/or saml-dev]

On 4/21/06, Pantvaidya, Vishwajit
<>
wrote:
> >
> > So the opening page is at the SP, which implies SP-first.
>
> The opening page of the app which is at the SP has the SP content in one
> frame and IdP login screen in another frame).

Well, you can't display protected content if the user is not
authenticated so I consider this page to fall under the IdP-first
scenario. Really though, you don't want to do this. You will outgrow
this use case in short order. Might as well do it right to begin with
(i.e., SP-first).

> > > So the user's login request gets submitted to the IdP which then
> > > authenticates and sends the result to the SP.
> >
> > How does the IdP know the target SP? In an SP-first scenario, the
> > SP's identifier is called out in the AuthnRequest. In an IdP-first
>
> So in this case does the AuthnRequest embed the SP url to which the response
> is to be sent?

Yes. See section 4.1 of the Tech Overview.

> > I claim that almost everybody uses an SP-first profile these days.
> > That's why IdP discovery has become such an important issue.
>
> The IdP knows the SP and may even be hardcoding the SP URL.

This is overly simplistic. I don't believe you can get away with this
assumption for long.

> The only problem
> is when that IdP has to work with multiple SPs and since the result of the
> login request needs to be forwarded to a specific SP, then how does the IdP
> know which is the one for this request?
>
>- in that case, I presume (I am not
> a UI guy) the IdP can be passed the SP URL through the opening page?

If you read the Tech Overview and still have questions about this,
please post them on shibboleth-users.

Tom



Archive powered by MHonArc 2.6.16.

Top of Page