tag:blogger.com,1999:blog-5458926912966805650.post5875427474120521832..comments2008-04-19T17:10:26.085-07:00MultiFactor Corphttp://www.blogger.com/profile/04290316769878487707noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-5458926912966805650.post-71249017315831994522008-04-19T17:10:00.000-07:002008-04-19T17:10:00.000-07:00Garret... I very agree with you that one of the benefits of using a SAML 2.0 architecture for Federated Identity is that the the task of AuthN is at the IdP and you can pass an AuthN assertion to the SP.<BR/><BR/>My point in my blog entry was not that this was a "bad" alternative or that PKI enabling the SP was a "good" alternative, as much as calling out that there are some communities, usually ones who have extensive PKI infrastructures already in place, that will not allow a remote entity (i.e. an IdP) to vouch for the identity of a subject.<BR/><BR/>In addition, I was making a point that the reason for this often is not technical as much as an issue of trust. i.e. An SP org may not have visibility into the user vetting and credential issuance policies of the IdP and as such may not trust the assertion.aniltjhttp://www.aniltj.com/blog/noreply@blogger.com