Yet Another Delegation Thread

Josh Hoyt josh at janrain.com
Thu Oct 26 15:27:31 UTC 2006


On 10/26/06, Dick Hardt <dick at sxip.com> wrote:
> >      * If the IdP-specific identifier is not checked by the relying
> > party's discovery, the IdP MUST do discovery on every request to
> > ensure that it's not making an assertion based on stale information.
>
> Which is probably a good idea. :-)
> If the IdP is sending both identifiers in a signed response, then
> they both should be valid.

Requiring this discovery adds another (redundant) HTTP request to the
authentication process, which takes time. I'd like to be able to
improve the "User Experience" by implementing an IdP that would verify
the binding occasionally, but not *every time* the user authenticates.

Josh



More information about the specs mailing list