Shibboleth Developers

["Scott Cantor" <>]

> But, is there support for http://docs.oasis-
> open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0-cd-
> 02.html#5.1.4.IdP-Initiated%20SSO:%20%20POST%20Binding|outline

No.

> The obvious intent is that the semantics are identical with (or at least
> equivalent to) SAML1.1

Yes, but those semantics were nonsense, because the concept is impossible. 
The IdP is a server. HTTP is a request/response protocol. To tell a server to 
do something, you have to ask it to. Asking it to requires a protocol. Ergo, 
the IdP cannot initiate SSO without defining a protocol for asking it to, 
which is, well, what SAML 2 defines.

So the problem is twofold:

- How do you define a SSO request protocol for the IdP that doesn't just 
reinvent the SAML request, while still supporting many of its features, and 
wouldn't it be proprietary?

- How do you support the idea that some deployers might require signed 
requests, if you open up a request option that probably wouldn't be signed?

-- Scott