About the SAMLv2 Identity Provider Proxy Specification
The OpenSSO Enterprise Identity Provider Proxy is based on the SAMLv2 specification which states the following:
If an identity provider that receives an <AuthnRequest> has not yet authenticated the presenter or cannot directly authenticate the presenter, but believes that the presenter has already authenticated to another identity provider or a non-SAML equivalent, it may respond to the request by issuing a new <AuthnRequest> on its own behalf to be presented to the other identity provider, or a request in whatever non-SAML format the entity recognizes. The original identity provider is termed the proxying identity provider.
Upon the successful return of a <Response> (or non-SAML equivalent) to the proxying provider, the enclosed assertion or non-SAML equivalent MAY be used to authenticate the presenter so that the proxying provider can issue an assertion of its own in response to the original <AuthnRequest>, completing the overall message exchange.
See the complete SAMLv2 specifications at http://saml.xml.org/saml-specifications.
- © 2010, Oracle Corporation and/or its affiliates