[Openid-specs-ab] [External Sender] Re: IDP Hint for /authorization requests

Giuseppe De Marco demarcog83 at gmail.com
Wed Aug 3 12:52:15 UTC 2022 

Hi,

IDP Hinting is adopted in the Italian Attribute Authorities infrastructure,
pag.36 (italian only unfortunately)
https://www.agid.gov.it/sites/default/files/repository_files/llgg_attribute_authority-allegato_tecnico_oas3.pdf

it references also AARC-G049

Il giorno mer 3 ago 2022 alle ore 14:00 Mischa Salle via Openid-specs-ab <
openid-specs-ab at lists.openid.net> ha scritto:

> Hi all,
>
> FYI in the context of research and education a very common scenario is
> an OP that needs to send the user via a "discovery page" to an e.g. SAML
> IdP. The discovery page typically shows all the national federation
> or global eduGAIN IdPs. The requirement to be able to bypass the
> discovery and direct the user to a specific IdP let several groups to
> implement idphinting.
> Within the AARC community we have therefore come up with a standard that
> originally used a parameter named idphint that contains the URL-encoded
> SAML entityID of the IdP. This has later been changed and renamed into a
> parameter that's more name-collision resistent aarc_idp_hint, see
> https://zenodo.org/record/4596667
> URL-encoding the value of the parameter is necessary for SAML entityIDs
> which are URIs.
>
> Best wishes,
> Mischa Sallé
>
> On Tue, Aug 02, 2022 at 03:52:42PM -0700, Vittorio Bertocci via
> Openid-specs-ab wrote:
> > Well, there’s no guarantee that the IdP is connected to the OP/AS via
> OIDC-
> > in fact protocol transition is super common. The actual IdP might have no
> > notion of issuer.
> >
> > On Tue, Aug 2, 2022 at 15:50 David Waite <david at alkaline-solutions.com>
> > wrote:
> >
> > >
> > >   This message originated outside your organization.
> > >
> > >
> > > But wouldn’t it usually be the issuer?
> > >
> > > Sent from my iPhone
> > >
> > > > On Aug 2, 2022, at 9:50 AM, George Fletcher via Openid-specs-ab <
> > > openid-specs-ab at lists.openid.net> wrote:
> > > >
> > > > 
> > > > All very relevant points. I was looking at it more as
> idp_hint=<string>
> > > where <string> is defined by the specific OP and explicitly left out of
> > > scope of the spec. All it does is standardize the name of the
> parameter and
> > > let each implementation define its own syntax.
> > >
> > >
> > >
> > >
>
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> --
> Nikhef                      Room  1.14
> Science Park 110            Tel.  +31-6-4681 2202
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220803/7cd6605f/attachment.html>

More information about the Openid-specs-ab mailing list