opensaml - SAML 2.0 IsPassive option -

when working on apache tomcat saml 2.0 based single-sign-on (sso), came across property named 'ispassive' under saml 2.0 authentication requests. saml 2.0 spec introduces follows:

ispassive [optional] boolean value. if "true", identity provider , user agent must not visibly take control of user interface requester , interact presenter in noticeable fashion. if value not provided, default "false".

what accurate meaning or example of definition in terms of single-sign-on scenario? property have connection active , passive profiles in single-sign-on?

first, has nothing active or passive sso. typically "active" refers web services based sso (i think desktop client apps this) while "passive" more typically refers browser-based sso.

second, sending ispassive=true, sp telling idp, "authenticate user if can without have user involved." think common methods web sso might kerberos (integrate windows auth) or x509. alternatively, if idp has authenticated user , user has valid session can re-used given sp authnrequest, qualifies meeting ispassive=true requirements iirc.