On 5/23/14, 12:15 PM, "Sam Hartman" <[log in to unmask]> wrote:
>
>The IDP shares the SP-specific identifier with the AA.
>The IDP shares the SP specific identifier with the SP)
>
>Later, the SP contacts the AA.
>The AA needs to know which SP is involved so it can know who to release
>to and what authentication to require.
>
>Have I got it?
>Any considerations I'm missing?
That's pretty much the basic case, handled today most often by just
sharing a global correlation handle, or by moving the aggregation to the
front-channel so the client mediates it instead of using a common
identifier.
There are many solutions to ratchet up the privacy with varying degrees of
complexity involved.
-- Scott
|