<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Thanks a lot Nate. I get the idea.<div><br></div><div>The reason I ask the question is because I am thinking how to support our mobile app login. It doesn't need to be SSO, and if the mobile app can get user name and password. How the app can post a form to IdP to authenticate the user directly?</div><div><br></div><div>Do you know how SAML users achieve mobile app login? Is this where ECP should be considered?</div><div><br></div><div>Yaowen</div><div><br></div><div><div><div>On Aug 31, 2012, at 8:26 PM, Nate Klingenstein wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I should add, one of the nice things about federated identity as compared to other forms of interrealm identity is that it does introduce some important degrees of freedom. Allowing the IdP to authenticate its users however it needs to get that done makes interop easier, not harder. The SP can always place restrictions on the form of authentication that it will accept, and in most flows, no entity directly authenticates the user except the IdP.<div><br><div><div>On Sep 1, 2012, at 2:36 , Yaowen Tu wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">I have been thinking about the reason of it. Is it because that SAML doesn't actually define how IdP authenticate a user? So it is every IdP's responsibility and interoperability is an issue? What else?<br></span></blockquote></div><br></div></div>--<br>To unsubscribe from this list send an email to <a href="mailto:users-unsubscribe@shibboleth.net">users-unsubscribe@shibboleth.net</a></blockquote></div><br></div></body></html>