Reputation: 1101
SAML 2.0 IsPassive option
When working on an Apache Tomcat SAML 2.0 based single-sign-on (SSO), I came across the property named 'IsPassive' under SAML 2.0 Authentication Requests. The SAML 2.0 spec introduces this as follows:
IsPassive [Optional] A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default is "false".
What is the most accurate meaning or example of this definition in terms of a single-sign-on scenario? Does this property have a connection with active and passive profiles in single-sign-on?
Upvotes: 5
Views: 7807
Answers (1)
Reputation: 4255
First, this has nothing to do with the Active or Passive SSO. Typically "Active" refers to Web Services based SSO (I usually think about desktop client apps for this) while "Passive" more typically refers to Browser-based SSO.
Second, by sending IsPassive=True, the SP is essentially telling the IDP, "Authenticate this user only if you can do it without have the user involved." I think the most common methods for Web SSO might be Kerberos (Integrate Windows Auth) or x509. Alternatively, if the IDP has already authenticated the user and the user has a valid session that can be re-used for the given SP AuthnRequest, then that qualifies as meeting the IsPassive=true requirements IIRC.
Upvotes: 5
Related Questions
- SAML 2.0 Response and the KeyInfo element
- Select Identity Provider Locally with Spring Security's SAML 2.0
- Identity server 4 with SAML 2.0 as external identity provider for SSO
- Single Sign-On in Spring by using SAML Extension and Shibboleth
- SAML 2.0 password authentication
- What is the purpose/usage of SAML 2.0 Auth Request?
- SAML 2.0 protocol exposed as Web Service
- Is Shibboleth SP an implementation of SAML 2.0?
- WIF SAML 2.0 CTP Identity Provider Initiated SSO
- Self-Signed Certificate with SAML 2.0