Skip to Content.
Sympa Menu

shibboleth-dev - RE: [Shib-Dev] idp-initiated SSO

Subject: Shibboleth Developers

List archive

RE: [Shib-Dev] idp-initiated SSO


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: [Shib-Dev] idp-initiated SSO
  • Date: Tue, 7 Oct 2008 12:55:50 -0400
  • Organization: The Ohio State University
I should soften my response...I think I know of one way to effectively
produce something like an IdP-initiated flow. It would require that the user
first login to the IdP and then make some kind of interactive selection to
tell it to produce a response.

That sidesteps the signed vs. unsigned issue by guarding the mechanism with
the authentication step first, as opposed to enabling it from a client with
no regard for that.

Knowing how the commercial IdPs are implemented as gateways and portals,
that's what I've typically seen, so I'm sure that's what we'd have to do.

We definitely don't have that now, no. The reason is that in most cases,
what you want to be able to do is link to the IdP from *outside* it to tell
it "hey, produce a response to SP Foo". That is *not* IdP-initiated, and
that's the point I was trying to make.

-- Scott



Archive powered by MHonArc 2.6.16.

Top of Page