Shibboleth Developers

["Scott Cantor" <>]

> I don't know if anyone really is asking for an unguarded idp-initiation
> endpoint.

Whether this specific case happens to be that or not, I don't know, but I
know very well that's what 99% of the demand is.

Unguarded in this context means "invokable even if the user hasn't already
authenticated, in the middle of which the user will be asked to do so". In
other words, the SSO service.

> It's not obvious who is asking for the new use case of a third-
> party invoking a (guarded) idp-initiation endpoint (though it sounds
> interesting).

Anybody asking for a persistent link to the IdP to cause it to do SSO, as
was possible with the older legacy protocol.

> Should we henceforth use the terminology of "does Shib support unsolicited
> responses"?

Shibboleth does not have a UI behind an authenticated interface, therefore
it physically cannot support that because that's the only way to do
something like that. If authentication just happens in real time after you
invoke a URL, then that's NOT IdP-initiated SSO. Simply doesn't meet any
sensible definition.

-- Scott