The isPassive feature can only be used with a SAML2 Service Provider. It allows to automatically log in a user on a web page without any user interaction. However, for this to work:
If this both is given, the user's attributes will be available automatically if he accesses a page that makes use of isPassive, e.g. using the script below.
In case one of the above-mentioned two requirements cannot be met, the Service Provider will throw an error. Therefore, a Service Provider administrator who wants to make use of the auto-login feature has to use a script like below that makes sure the user won't see that error.
The main requirement of implementing isPassive for SAML2 products is that there shouldn't be any user interaction when the user is at the Discovery Service or the Identity Provider. Therefore, the usage of isPassive should only work with authentication systems and other authentication related tools, that obey this requirement.
External authentication systems like CAS and Pubcookie won't obey isPassive most likely.
In order to use the script, try the following:
As of SP 2.2 you can set the
ignoreNoPassive on your AssertionConsumerService, e.g.:
<md:AssertionConsumerService Location="/SAML2/POST" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" conf:ignoreNoPassive="true" />
In case the Discovery Service guesses that a user's Identity Provider is a SAML1 IdP, this IdP won't obey the requirements of isPassive not to interact with the user. Therefore, it still could occur that the user is asked to authenticate at the IdP.
If a user already has a session with a SAML1 IdP, things should work as expected unless there are any other tools installed at the IdP that won't obey isPassive.