shibboleth-dev - RE: [Shib-Dev] Configure relying party for non-browser client
Subject: Shibboleth Developers
List archive
- From: "Scott Cantor" <>
- To: <>
- Subject: RE: [Shib-Dev] Configure relying party for non-browser client
- Date: Tue, 10 Jun 2008 21:37:04 -0400
- Organization: The Ohio State University
> My question is: how do I configure the relying party so that each time the
> IdP receives a samlp:AuthnRequest from this non-browser client, it asks
for
> the client to authenticate with the method I intend it to?
Getting the right authentication method is based on the requested
AuthnContext class, same as for any SP. The Issuer should be the SP if
you're following that profile. Requests in the browser SSO profiles don't
come from the client, they come from SPs. The client merely relays them.
The exception to that is unsolicited responses and it's been noted lately
that the IdP has no support for that with SAML 2 because that support would
effectively be like adding a new request protocol.
But the issuer can't be the client, because if you do that, the IdP is
obligated to target the response at *you*, not at the SP. And that doesn't
work for SSO. As an example, the binding might dictate that Destination be
set to the response address. For that to be the SP, the IdP has to think the
request came from the SP.
There's also a proposed extension for getting around this issue by enabling
the requester to indicate that the response should go to somebody else. One
possible use for it is this use case.
-- Scott
- Configure relying party for non-browser client, Joana M. F. Trindade, 06/10/2008
- RE: [Shib-Dev] Configure relying party for non-browser client, Scott Cantor, 06/10/2008
- Re: [Shib-Dev] Configure relying party for non-browser client, Chad La Joie, 06/10/2008
- Re: [Shib-Dev] Configure relying party for non-browser client, Joana M. F. Trindade, 06/11/2008
Archive powered by MHonArc 2.6.16.