Shibboleth Developers

[Peter Williams <>]

This is all very nice.

But, is there support for 
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-02.html#5.1.4.IdP-Initiated%20SSO:%20%20POST%20Binding|outline

It's not a "third-party" who initiates, in the documented use case. Its 
specifically the IDP, one of the two parties in the conversation.

The obvious intent is that the semantics are identical with (or at least 
equivalent to) SAML1.1

-----Original Message-----
From: Scott Cantor 
[mailto:]
Sent: Tuesday, October 07, 2008 9:34 AM
To: 

Subject: RE: [Shib-Dev] idp-initiated SSO

> That's an interesting question.  I don't how you could tell a 3rd-party
> initiated request from an SP-initiated one, at the IdP, unless you
> required signed requests (which we don't).

Well, we don't by default, that's up to the deployer. But the answer is, I 
proposed an extension for either unsigned or signed requests that 
distinguishes them, and makes it possible to make the mechanics all work 
without violating the profile.

Sometimes it takes people a while to figure out why I propose things. ;-)

-- Scott