[Satosa-dev] setting the IdP Discovery Profile common domain cookie

Scott Koranda skoranda at gmail.com
Tue Nov 14 21:26:34 CET 2017


Hi,

The Shibboleth IdP has the nice feature [1] that it can be configured to set
the IdP Discovery Profile common domain cookie [2] after receiving a
valid assertion from an IdP. It can be useful because only IdPs that a
user has actually successfully used are recorded and then later revealed
as choices to the user in a subsequent flow.

I have a use case where it would be helpful if the SP side of SATOSA
could do the same thing.

I ran

find . -type f -exec grep -l _saml_idp {} \;

on the SATOSA source and it did not return anything, so I suspect this
functionality is not currently supported by SATOSA.

Would anybody object to adding it? It would of course be "off" by
default and would only set the cookie (with configurable properties)
when configured to do so.

Thoughts?

Thanks,

Scott K

P.S. I understand that new approaches to discovery that will likely come
out of the RA21 effort will probably supplant this functionality, but as
usual the use case I need to support needs this "right now"...

[1] See idpHistory and idpHistoryProps at 
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSessions

[2] See section 4.3 of
http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf


More information about the Satosa-dev mailing list