Enforcing SAML2/transmission of persistentId for WAYF service?
peter.schober at univie.ac.at
Thu Nov 21 08:25:11 EST 2019
* Stefan Kombrink <stefan.kombrink at uni-ulm.de> [2019-11-21 08:24]:
> To me it seems as if the WAYF forces it to use SAML1, and that's why I do
> not obtain the entityID. Is that so?
Indeed. The flow for (obsolete) "WAYF" is different and goes from the
IDP Discovery Service direcly to the IDP. Avoid that anywhere/everywhere.
In the "SAMLDS" flow the discovery service sends you back to the SP
(with the selected IDP, of course) and only SP then sends you on to
the IDP by sending an authn request (as usual) with whatever
properties the SP requires. That allows the SP to sign the authn
request, if so desired, or add policy to it depending on the IDP's
More information about the users