Shibboleth Developers

["Scott Cantor" <>]

> I disagree.  The SAML 1.1 profiles are pretty clear about step 1,
> which is a request from a user's browser.  (Obviously, a request must
> precede a response.)

SAML's step 1 is a request to the IdP intersite transfer service that is
internal to the IdP and is really a consequence of the profiles being
incomplete to begin with. I have no step for this.

My steps 2/3, which you seem to be pointing at, involve the browser making a
request containing an authentication request message. SAML does not define
this step anywhere, so it can't be matched up, but it's optional. There
needs to be a browser request at some point (of course), but not one that
comes from the WAYF or SP redirecting it, so it isn't this step.

In SAML 2.0, the description used is that processing can begin at my step 5,
which glosses over the fact that authentication took place or that the
browser made an HTTP request in order to get it started, but it's the same
idea.

I didn't try and line this up to the SAML 1.1 steps because working in the
request half is complicated with that as a starting point. I just copied the
2.0 diagram. Since the only normatively required steps in SAML start at the
response in my step 5, this is correct.

To have a required step that you're asking for, I'd have to introduce
something else into the diagram, and I think that's more confusing.

> Okay, I'll wait to see this new work.

The bit about using the profiles in metadata was in my last draft (2, I
guess) before I pulled it for this draft. The initial SAML working draft
from Greg is here:

http://www.oasis-open.org/committees/download.php/9967/draft-saml1x-metadata
-01.pdf

-- Scott