<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div dir="ltr" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif; font-size: 12pt;">
Hi,</div>
<div dir="ltr" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif; font-size: 12pt;">
<br>
</div>
<div dir="ltr" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif; font-size: 12pt;">
I would prefer #2. And yes, there is a dire need for IDP initiated SAML federation.</div>
<div dir="ltr" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif; font-size: 12pt;">
<br>
</div>
<div dir="ltr" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif; font-size: 12pt;">
Regards,</div>
<div dir="ltr" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif; font-size: 12pt;">
Monika</div>
<div id="ms-outlook-mobile-body-separator-line" style="font-family: Aptos, -apple-system, HelveticaNeue, sans-serif;font-size: 12pt" dir="ltr">
<br>
</div>
<div id="ms-outlook-mobile-signature">Get <a href="https://aka.ms/o0ukef">Outlook for iOS</a></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Openid-specs-ipsie <openid-specs-ipsie-bounces@lists.openid.net> on behalf of Dean H. Saxe via Openid-specs-ipsie <openid-specs-ipsie@lists.openid.net><br>
<b>Sent:</b> Monday, August 4, 2025 11:19:10 PM<br>
<b>To:</b> Aaron Parecki via Openid-specs-ipsie <openid-specs-ipsie@lists.openid.net><br>
<b>Subject:</b> [Openid-specs-ipsie] SAML and IdP Initiated federation (https://github.com/openid/ipsie/issues/100)</font>
<div> </div>
</div>
<style>
<!--
code
{font-family:SFMono-Regular,Menlo,Consolas,"PT Mono","Liberation Mono",Courier,monospace}
p
{border-radius:0px}
ol.x_custom-editor-ordered-list-class
{margin:1px 0px}
ul.x_custom-editor-bullet-list-class
{margin:1px 0px}
pre.x_custom-editor-code-block-class
{flex-shrink:1;
text-align:left;
font-family:SFMono-Regular,Menlo,Consolas,"PT Mono","Liberation Mono",Courier,monospace;
font-size:13.6px;
tab-size:2;
padding:34px 16px 32px 32px;
min-height:1em;
white-space:pre;
border-radius:4px;
text-align:left;
background:rgba(135,131,120,.15);
min-width:0px;
width:100%;
box-sizing:border-box}
hr.x_custom-editor-divider-class
{border:none;
border-top:1px solid rgba(135,131,120,.15);
width:100%}
blockquote
{border-left:3px solid currentcolor;
margin:0px;
margin-top:4px;
font-size:1em;
padding-right:2px;
padding-top:3px;
padding-bottom:3px;
padding-left:14px}
blockquote.x_light
{border-left-color:rgba(55,53,47,0.16)}
blockquote.x_dark
{border-left-color:rgba(255,255,255,0.13)}
aside
{display:flex;
width:100%;
max-width:100%;
box-sizing:border-box;
border-radius:4px;
background:rgba(135,131,120,.15);
padding:16px 16px 16px 12px;
white-space:pre-wrap;
word-break:break-word}
.x_callout-emoji
{display:flex;
align-items:center;
justify-content:center;
height:24px;
width:24px;
font-size:21.6px;
box-sizing:border-box;
border-radius:0.25em;
flex-shrink:0;
flex-grow:0}
.x_callout-emoji > img
{height:18px;
width:18px;
margin-top:auto;
margin-bottom:auto}
.x_callout-content
{margin-left:8px;
margin-top:auto;
display:table;
width:100%}
.x_custom-editor-task-list-class
{list-style:none;
padding:0;
margin:0}
.x_custom-editor-task-item-class
{display:flex;
align-items:center}
.x_custom-editor-task-item-class > label
{margin-right:0.5rem;
display:flex;
align-items:center}
.x_custom-editor-task-item-class > label > input[type="checkbox"]
{margin-right:0.5rem}
.x_custom-editor-task-item-checked-class > *
{text-decoration:line-through rgba(55,53,47,0.42);
color:rgba(55,53,47,0.65)}
.x_custom-editor-rendered-mention
{opacity:0.6;
color:unset}
.x_custom-editor-rendered-mention > a
{color:unset}
.x_custom-editor-rendered-mention-page
{font-weight:500;
max-width:200px}
.x_custom-editor-rendered-mention-page > a
{color:unset}
.x_custom-editor-rendered-mention-page-link
{border-bottom:0.05em solid rgba(95,94,91,1);
text-decoration:none!important}
pre
{flex-shrink:1;
text-align:left;
font-family:SFMono-Regular,Menlo,Consolas,"PT Mono","Liberation Mono",Courier,monospace;
font-size:13.6px;
tab-size:2;
padding:34px 16px 32px 32px;
min-height:1em;
white-space:pre;
border-radius:4px;
text-align:left;
background:rgb(247,246,243);
min-width:0px;
width:100%;
box-sizing:border-box}
a.x_custom-editor-link-class
{color:rgba(120,119,116,1)}
-->
</style><style>
<!--
*
{line-height:1.3;
font-family:ui-sans-serif,-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,"Apple Color Emoji",Arial,sans-serif,"Segoe UI Emoji","Segoe UI Symbol"}
p
{margin:0px 0px 0px 0px!important;
min-height:19.5px}
-->
</style>
<div>
<table border="0" width="100%" cellspacing="0" cellpadding="0" align="left" style="height:20px; width:100%; font-family:Calibri; font-size:16px">
<tbody>
<tr style="height:20px">
<td style="background:#ffb900; padding:5pt 2pt; height:54px"> </td>
<td width="100%" style="background:#fff8e5; padding:5pt 4pt 5pt 12pt; height:20px">
<div style="color:#222222"><span style="color:#ff0000; font-weight:bold">CyberArk Security Warning:</span> This is an external email!</div>
</td>
</tr>
</tbody>
</table>
<p> </p>
<div>
<p dir="auto">Following up on this item from the last IPSIE WG meeting, I created
<a target="_blank" rel="noopener noreferrer nofollow" class="x_custom-editor-link-class" href="https://urldefense.com/v3/__https://github.com/openid/ipsie/issues/100__;!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MId0XS32g$">
https://github.com/openid/ipsie/issues/100</a>.</p>
<p dir="auto"></p>
<p dir="auto">tl;dr; SAML based federations are highly dependent upon IdP initiated federation flows. A recent update to the Common Requirements doc (<a target="_blank" rel="noopener noreferrer nofollow" class="x_custom-editor-link-class" href="https://urldefense.com/v3/__https://github.com/openid/ipsie/issues/94__;!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MJ6i0DLTg$">https://github.com/openid/ipsie/issues/94</a>,
<a target="_blank" rel="noopener noreferrer nofollow" class="x_custom-editor-link-class" href="https://urldefense.com/v3/__https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html__;!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MIw318GQA$">
https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html</a>) eliminates the use of IdP initiated flows. </p>
<p dir="auto"></p>
<p dir="auto">As a WG, we need to determine how to deal with this gap. I see two choices:</p>
<ol class="x_custom-editor-ordered-list-class" dir="auto">
<li dir="auto">
<p dir="auto">Move the requirement for RP initiated flows to SL2, allowing them to continue at SL1 for SAML implementations. </p>
</li><li dir="auto">
<p dir="auto">Keep the requirement at SL1 and figure out how to device a mechanism for SAML that works similar to <a target="_blank" rel="nofollow" class="x_custom-editor-link-class" href="https://urldefense.com/v3/__https://openid.net/specs/openid-connect-core-1_0.html*ThirdPartyInitiatedLogin__;Iw!!Pe07N362zA!2F66nGN2Dhn8H4NHNJYaSvE2Oq5cMkRy-3mXjuCughw9vSCEO7EfISfNOcTr6whziV7q4BhLYaMsexHOZaz0IeuHgkJ77MIlKhlUCA$" style="box-sizing:border-box; background-color:rgba(0,0,0,0); color:rgb(9,105,218); text-decoration:underline"><u>https://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin</u></a></p>
</li></ol>
<p dir="auto"></p>
<p dir="auto">I would appreciate your thoughts on this issue either via the mailing list or as comments on the issue.</p>
<p dir="auto"></p>
<p dir="auto">Thanks,</p>
<p dir="auto">-dhs</p>
<p dir="auto"></p>
<div class="x_signature">
<p dir="auto">--</p>
<div dir="auto">
<p dir="auto">Dean H. Saxe</p>
</div>
<div dir="auto">
<p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" class="x_custom-editor-link-class" href="mailto:dean@thesax.es">dean@thesax.es</a></p>
</div>
</div>
</div>
</div>
</body>
</html>