Mapping requests to responses

Cantor, Scott cantor.2 at
Tue May 24 23:43:18 EDT 2016

On 5/24/16, 11:31 PM, "users on behalf of Nate Klingenstein" <users-bounces at on behalf of ndk at> wrote:

>Thanks for the confirmation. One last question: why not implement any of that?

It didn't exist in SAML 1.1, and IdP-initiated SSO was a required feature in SAML 2. The only feature that correlation can provide that can't be accomplished some other way is XSRF protection, and that's only possible to get if you disable IdP-initiated.

I would like to do it, but I have approximate 600,000 other things to do right now and I haven't studied the problem enough to know how to implement it properly. Since the SP doesn't have a way to generate tamper-proof cookies, it's not exactly self-evident. Somehow I doubt adding yet another key to the mix is going to be a popular idea with anybody.

-- Scott

More information about the users mailing list