OpenSAML user discussion

["Tom Scavo" <>]

[We probably should move this discussion to shibboleth-users and/or saml-dev]

On 4/21/06, Pantvaidya, Vishwajit 
<>
 wrote:
> >
> > So the opening page is at the SP, which implies SP-first.
>
> The opening page of the app which is at the SP has the SP content in one
> frame and IdP login screen in another frame).

Well, you can't display protected content if the user is not
authenticated so I consider this page to fall under the IdP-first
scenario.  Really though, you don't want to do this.  You will outgrow
this use case in short order.  Might as well do it right to begin with
(i.e., SP-first).

> > > So the user's login request gets submitted to the IdP which then
> > > authenticates and sends the result to the SP.
> >
> > How does the IdP know the target SP?  In an SP-first scenario, the
> > SP's identifier is called out in the AuthnRequest.  In an IdP-first
>
> So in this case does the AuthnRequest embed the SP url to which the response
> is to be sent?

Yes.  See section 4.1 of the Tech Overview.

> > I claim that almost everybody uses an SP-first profile these days.
> > That's why IdP discovery has become such an important issue.
>
> The IdP knows the SP and may even be hardcoding the SP URL.

This is overly simplistic.  I don't believe you can get away with this
assumption for long.

> The only problem
> is when that IdP has to work with multiple SPs and since the result of the
> login request needs to be forwarded to a specific SP, then how does the IdP
> know which is the one for this request?
>
>- in that case, I presume (I am not
> a UI guy) the IdP can be passed the SP URL through the opening page?

If you read the Tech Overview and still have questions about this,
please post them on shibboleth-users.

Tom