Passively check for session with multiple IdPs
peter.schober at univie.ac.at
Wed Nov 16 12:59:01 GMT 2011
* Donald Shaw <donald.s.shaw at gmail.com> [2011-11-16 07:03]:
> is it possible to quietly (probably "passively") check multiple IdPs to see
> if the user has a session with any of them, and only hassle the user with a
> login page (or Discover Service IdP-selection page) if they have no such
isPassive is an attribute on an authentication request.
By default the software will only sent out one such authentication
request if configured via the webserver (or the portable
configuration), to either the default IdP or the IdP selected via
So the only way to do this IMHO would be generate those authentication
requests yourself, programmatically (possibly with help of the session
initiator, where you would loop over all IdPs and keep sending the
user agent elsewhere).
Depending on latency and number of IdPs this probably won't go
unnoticed by the user and will most certainly not provide a good user
Also note that isPassive is of course SAML2 only, so if some of those
IdPs are still SAML1-only (I hear such things do exists) this wouldn't
work as indended.
More information about the users