Binding HTTP-Post with isPassive

Question

Binding HTTP-Post with isPassive

My question is very similar to: How do I implement the HTTP POST binding for the SAML WebSSO profile?

But I could not find the correct answer in it. Is it possible to send a request through the HTTP-Post binding with isPassive

set to true. The Oasis spec says that the IdP should not "explicitly" control the user interface. So the IdP needs to know about it somehow.

If the user is already active in the session on the SP side, how do I pass this information to the IdP and re-authenticate the user?

I want to validate the user without interfering with the user flow ...

+3

http-post http-redirect saml saml-2.0 opensaml

anpatel Mar 30 17 at 18:58

source to share

1 answer

Ian · Answer 1 · 2017-04-03T03:01:11+0000

There are several common ways to re-authenticate a user using IsPassive = true. For example, integrated Windows Auth (Kerberos) and x509 Cert Based Auth can be performed without visible user interface interaction.

If you combine ForceAuthn = true and IsPassive = true in your AuthnRequest, this forces the IDP to re-authenticate the user if both conditions can be met.

Binding HTTP-Post with isPassive

More articles: