Is it possible to hit the IdP login form directly from a browser?
Yaowen Tu
yaowen.tu at gmail.com
Fri Aug 31 22:36:03 EDT 2012
Hi,
This might be a dumb question, or something that violets to the SAML design
principals. I just want to see how we designed the IdP to treat this use
case.
In a usual way, end user will access a protected page in SP first, and
after some redirection, IdP displays a login page, suppose the login page
is: "https://localhost/idp/Authn/UserPassword". After that IdP establishes
a session with the browser.
What if user directly access "
https://diamond.actuate.com/idp/Authn/UserPassword"? I have tried with Shib
IdP, and it shows some error which is what I expected. I just want to know
why this use case is invalid?
Based on my experience with SAML( very limited ), I think it make sense
that user login to IdP first to establish a valid session, then later on he
can access some SP protected resources without entering the password. There
should be some reason that I missed to explain the potential problem for
this approach.
Another related question is, I know there is something called
"IdP-initiated" SSO, which is user hit
*/idp/profile/SAML2/Unsolicited/SSO *directly,
then IdP redirect to a login page. Do we support something like this to
automatically get the user name and password?
*
/idp/profile/SAML2/Unsolicited/SSO?username=user1&password=password1*
I have been thinking about the reason of it. Is it because that SAML
doesn't actually define how IdP authenticate a user? So it is every IdP's
responsibility and interoperability is an issue? What else?
Best,
Yaowen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20120831/5a8c52f0/attachment.html
More information about the users
mailing list