On 26 May 2010, at 16:17, Klaas Wierenga wrote: > - IdP discovery > > I don't think that in the use cases I am thinking of currently > (jabber, imap etc.) IdP discovery is that important. I can very well > live with having the client specify the IdP instead of relying on a > discovery url provided by the server. I wanted to be as flexible as > possible, but given your and others feedback I can change that. I > see 2 options: introduce an "IdP hint" provided by the client and > fall back to one provided by the server and discuss this in the > security considerations or have the client always provide the IdP. I > guess you prefer the latter, what do others think? At least in the case of Jabber and IMAP, I guess you are close to the "best situation" that Scott mentioned: you can ask the user for a "generalized NetID" (it is an idea to avid using "e- mail" in its name) and derive the IdP hint from it, that it is a reasonable mix of both approaches, I think... Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Red.es - RedIRIS The Spanish NREN e-mail: [log in to unmask] jid: [log in to unmask] Tel: +34 955 056 621 Mobile: +34 669 898 094 -----------------------------------------