shibboleth-dev - RE: SAML Protocol Extension for Third-Party Requests
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: SAML Protocol Extension for Third-Party Requests
- Date: Sat, 13 May 2006 14:32:42 -0400
- Organization: The Ohio State University
> Before I comment on this document, may I ask what is its intended use
> in Shib 2.0 (if any)?
If signed requests become de rigeur, then this extension is the only way
that a portal or some other intermediary can issue interoperable signed
requests on behalf of some SP to enable unsolicited SSO responses.
(Of course without signing, anything can spoof an AuthnRequest.)
You can think of it as a way of doing IdP-first triggers interoperably (as
opposed to SAML 1.x where the link to the ITS was proprietary).
The only reason it's cast so generally is because of politics. If it wasn't
layered underneath, a new SSO profile would have been needed and the whole
thing would have been a disaster.
Finally, new application profiles should consider whether a more appropriate
design is a pair of profiles:
- client/IdP token request/response
- token / app message attachment
In that model the AuthnRequest comes from the client, not the eventual
relying party, making the extension superfluous.
-- Scott
- SAML Protocol Extension for Third-Party Requests, Tom Scavo, 05/13/2006
- RE: SAML Protocol Extension for Third-Party Requests, Scott Cantor, 05/13/2006
- Re: SAML Protocol Extension for Third-Party Requests, Tom Scavo, 05/13/2006
- RE: SAML Protocol Extension for Third-Party Requests, Scott Cantor, 05/13/2006
- Re: SAML Protocol Extension for Third-Party Requests, Tom Scavo, 05/13/2006
- RE: SAML Protocol Extension for Third-Party Requests, Scott Cantor, 05/13/2006
Archive powered by MHonArc 2.6.16.