[Openid-specs-ipsie] SAML and IdP Initiated federation (https://github.com/openid/ipsie/issues/100)
Monika Avalur
Monika.Avalur at cyberark.com
Mon Aug 4 17:53:42 UTC 2025
Hi,
I would prefer #2. And yes, there is a dire need for IDP initiated SAML federation.
Regards,
Monika
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Openid-specs-ipsie <openid-specs-ipsie-bounces at lists.openid.net> on behalf of Dean H. Saxe via Openid-specs-ipsie <openid-specs-ipsie at lists.openid.net>
Sent: Monday, August 4, 2025 11:19:10 PM
To: Aaron Parecki via Openid-specs-ipsie <openid-specs-ipsie at lists.openid.net>
Subject: [Openid-specs-ipsie] SAML and IdP Initiated federation (https://github.com/openid/ipsie/issues/100)
CyberArk Security Warning: This is an external email!
Following up on this item from the last IPSIE WG meeting, I created https://github.com/openid/ipsie/issues/100<https://urldefense.com/v3/__https://github.com/openid/ipsie/issues/100__;!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MId0XS32g$>.
tl;dr; SAML based federations are highly dependent upon IdP initiated federation flows. A recent update to the Common Requirements doc (https://github.com/openid/ipsie/issues/94<https://urldefense.com/v3/__https://github.com/openid/ipsie/issues/94__;!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MJ6i0DLTg$>, https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html<https://urldefense.com/v3/__https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html__;!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MIw318GQA$>) eliminates the use of IdP initiated flows.
As a WG, we need to determine how to deal with this gap. I see two choices:
1. Move the requirement for RP initiated flows to SL2, allowing them to continue at SL1 for SAML implementations.
2. Keep the requirement at SL1 and figure out how to device a mechanism for SAML that works similar to https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin<https://urldefense.com/v3/__https://openid.net/specs/openid-connect-core-1_0.html*ThirdPartyInitiatedLogin__;Iw!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MIlKhlUCA$>
I would appreciate your thoughts on this issue either via the mailing list or as comments on the issue.
Thanks,
-dhs
--
Dean H. Saxe
dean at thesax.es<mailto:dean at thesax.es>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250804/88218ad5/attachment-0001.htm>
More information about the Openid-specs-ipsie
mailing list