I have been reading about SAML. I have one question
From what I understand, the identity provider is contacted by the web service to verify the username and pw. Does this mean that the user sends the username and pw to the web service. Does this actually go through the wire? Would this data be encrypted ?