Of course, if we were to do that, we would have to have protocols to
enable it on the back channel (a SOAP interface accessed directly by the
SP) and on the front >channel (a redirect of the user's browser from the SP
to the IdP). The front channel is needed for IdPs that store session
information on the user's browser.
This should not be forced to be a back channel ( a SOAP interface accessed
directly by the SP) as there are requirements to have other requestor types
than a browser.
Anthony Nadalin | work 512.436.9568 | cell 512.289.4122