Shibboleth Developers

["Scott Cantor" <>]

> The use case is where the SP hasn't redirected to the WAYF/IdP.  
> Instead, something else has done it on it's behalf. The SP receives  
> the SAML Response from the IdP though. The "handle" or "id" or  
> whatever would be used by the SP to match up the incoming Response  
> with the original proxy.

Nate assumed a complex underlying reason for wanting to do this. Assuming
only a simplistic interpetation, the answer is no, there's nothing else you
can easily communicate inside the assertion. You could do this with the
target parameter, of course, but it won't be signed, and the SP wouldn't
know how to interpet it.

SAML 2.0 right now specifically screwed up this use case of a third party
AuthnRequest, and there's some discussion about a new extension SSO profile
that would enable one SP to create a signed AuthnRequest to be fulfilled at
another SP by using the unsolicited Response option in the original SSO
profile. You could ship your extra piece of data there in RelayState, but
again, the SP would have to know what to do with it, so it would depend on
whether RelayState was somehow exposed to applications.

-- Scott