<div dir="ltr">Hi,<br><br>IDP Hinting is adopted in the Italian Attribute Authorities infrastructure, pag.36 (italian only unfortunately)<br><a href="https://www.agid.gov.it/sites/default/files/repository_files/llgg_attribute_authority-allegato_tecnico_oas3.pdf" target="_blank">https://www.agid.gov.it/sites/default/files/repository_files/llgg_attribute_authority-allegato_tecnico_oas3.pdf</a><br><br>it references also AARC-G049<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno mer 3 ago 2022 alle ore 14:00 Mischa Salle via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br>
<br>
FYI in the context of research and education a very common scenario is<br>
an OP that needs to send the user via a "discovery page" to an e.g. SAML<br>
IdP. The discovery page typically shows all the national federation<br>
or global eduGAIN IdPs. The requirement to be able to bypass the<br>
discovery and direct the user to a specific IdP let several groups to<br>
implement idphinting.<br>
Within the AARC community we have therefore come up with a standard that<br>
originally used a parameter named idphint that contains the URL-encoded<br>
SAML entityID of the IdP. This has later been changed and renamed into a<br>
parameter that's more name-collision resistent aarc_idp_hint, see<br>
<a href="https://zenodo.org/record/4596667" rel="noreferrer" target="_blank">https://zenodo.org/record/4596667</a><br>
URL-encoding the value of the parameter is necessary for SAML entityIDs<br>
which are URIs.<br>
<br>
Best wishes,<br>
Mischa Sallé<br>
<br>
On Tue, Aug 02, 2022 at 03:52:42PM -0700, Vittorio Bertocci via Openid-specs-ab wrote:<br>
> Well, there’s no guarantee that the IdP is connected to the OP/AS via OIDC-<br>
> in fact protocol transition is super common. The actual IdP might have no<br>
> notion of issuer.<br>
> <br>
> On Tue, Aug 2, 2022 at 15:50 David Waite <<a href="mailto:david@alkaline-solutions.com" target="_blank">david@alkaline-solutions.com</a>><br>
> wrote:<br>
> <br>
> ><br>
> > This message originated outside your organization.<br>
> ><br>
> ><br>
> > But wouldn’t it usually be the issuer?<br>
> ><br>
> > Sent from my iPhone<br>
> ><br>
> > > On Aug 2, 2022, at 9:50 AM, George Fletcher via Openid-specs-ab <<br>
> > <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>
> > ><br>
> > > <br>
> > > All very relevant points. I was looking at it more as idp_hint=<string><br>
> > where <string> is defined by the specific OP and explicitly left out of<br>
> > scope of the spec. All it does is standardize the name of the parameter and<br>
> > let each implementation define its own syntax.<br>
> ><br>
> ><br>
> ><br>
> ><br>
<br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
> <a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
<br>
-- <br>
Nikhef Room 1.14<br>
Science Park 110 Tel. +31-6-4681 2202<br>
1098 XG Amsterdam Fax +31-20-592 5155<br>
The Netherlands Email <a href="mailto:msalle@nikhef.nl" target="_blank">msalle@nikhef.nl</a><br>
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>