Shib IdP 2.3.5 + ECP

Cantor, Scott cantor.2 at
Wed Nov 23 15:37:16 GMT 2011

On 11/23/11 10:30 AM, "Chad La Joie" <lajoie at> wrote:

>Well, I guess this is one area where we're going to disagree.  I think
>if you (the SP or the client) can't handle a UI then the request coming
>in to the IdP better be marked with isPassive.  That's what that option
>is there for in the protocol.

But it isn't there for that (and the SP can't know that). The flag is for
SPs that want to probe for an existing session without doing an actual
login yet. It isn't anything to do with client capability.

The client/IDP interaction in ECP is entirely out of scope, which is why
it's not interoperable if you add a UI. This is one of the
not-interoperable areas. If you add a UI to the IdP, you have to account
for it somehow either in the client or in how you expose the UI.

-- Scott

More information about the users mailing list