i'm aware of how saml used single sign on (sso). is, redirection idp sp , getting user's identity saml response/assertion.
my question - saml 2.0 specification define how pass username , password part of saml request xml authentication? note i'm not talking single sign on , want authentication of username/password.
thanks,
the saml standard supports passing user identifier in <saml:subject> field of <authnrequest> (i.e. request authentication).
there no built in support passing password part of authnrequest. imho doing goes against principles of saml2 expects idp use password when authenticating. idp may use means finds suitable confirm identity of subject. password, certificate or 1 time pad exchange on sms. or else - it's idp.
that said, there <extensions> element in <authnrequest> used carry password. doing require careful security considerations authnrequest contents not designed kept secret. if using http redirect binding contents logged in web server , visible in browser history. if using http post binding password still visible browser. suggest using soap or artifact binding make sure data transferred directly sp idp. note bindings have considerable less support in frameworks.
