Shibboleth Developers

["Scott Cantor" <>]

> 2. you can do that, but the architecture document doesn't make it clear
> yet

I would go with number 2. Everything before the POST is effectively optional
in SAML (actually undefined, so I guess I should say optional in
Shibboleth). Literally only the POST (or in the future the artifact redirect
and callback) is mandatory.

What you're doing is the same thing the WAYF does, impersonating an authn
request. This is possible because it isn't signed by the SP.

And I agree with your last response, the providerId is a completely public
and exposed aspect of the protocol. You have to know it or nothing works.
It's in fact the *only* thing you will absolutely have to know in the future
to do this, since everything can be defaulted in SAMLv2.

Moreover, any entity on the network can create an unsigned request on behalf
of any SP. This is why registering the ASC endpoints in metadata is
critical, to insure that I can "forge" the request, but not spoof the return
path.

-- Scott