Passively check for session with multiple IdPs

[Donald Shaw]

Yeah, I realise there may be latency, non-SAML2, and other such issues.
Nevertheless, this is still something we want to investigate further (it
may well end up interfering in the user experience less than other possible
paths we might take).

How might an appropriate SessionInitiator for looping over 2 or more IdPs
look?

Thanks for the feedback,
cheers,
Donald.

On Wed, Nov 16, 2011 at 11:59 PM, Peter Schober
<peter.schober at univie.ac.at>wrote:

> * Donald Shaw <donald.s.shaw at gmail.com> [2011-11-16 07:03]:
> > is it possible to quietly (probably "passively") check multiple IdPs to
> see
> > if the user has a session with any of them, and only hassle the user
> with a
> > login page (or Discover Service IdP-selection page) if they have no such
> > sessions?
>
> isPassive is an attribute on an authentication request.
> By default the software will only sent out one such authentication
> request if configured via the webserver (or the portable
> configuration), to either the default IdP or the IdP selected via
> content settings.
> So the only way to do this IMHO would be generate those authentication
> requests yourself, programmatically (possibly with help of the session
> initiator, where you would loop over all IdPs and keep sending the
> user agent elsewhere).
>
> Depending on latency and number of IdPs this probably won't go
> unnoticed by the user and will most certainly not provide a good user
> experience.
>
> Also note that isPassive is of course SAML2 only, so if some of those
> IdPs are still SAML1-only (I hear such things do exists) this wouldn't
> work as indended.
> -peter
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111117/6f4f7a94/attachment.html