Vendor's SAML support interpretation

David Bantz dabantz at
Tue Feb 19 16:52:27 EST 2013

A potential vendor's documentation describes their support for SSO and SAML as follows:

> SAML Authentication:
> User initiates the request via a link
> Client’s server intercepts and generates SSO assertion
> SAML assertion is posted to SSO URL by the browser
> Signature, timestamp, and recipient are posted
> Payload is examined for destinations
> User looked-up, must be active
> User logged-in and redirected to destination (login page or deep link) 
Do I correctly infer they are supporting only unsolicited or "idp initiated" SSO?

What caveats (if any) should I relay to the prospective service owner(s)?

I've read

Thanks for any pointers,

David Bantz
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list