[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] attributeexchange: where to add the receiver
Thanks for your answers. I am working with SAML 1.1, so SAML 2.0 metadata specification is out of scope. My situation is, that its no problem to get the URL of a serviceprovider when I know which sp to take. The problem is, that there could me more than one serviceproviders, each one identified by a id. When having the id, I can get the url by looking it up in a database. But how do I get the id? In a response, there is an "issuer" field, but in a request? Is there no way to get the id of the serviceprovider in the SAML message? If I send the response with the attributes back to the URL of the HTTP-request, isn't there the vulnerability of faking the URL and getting the attibutes to the wrong receiver? Adding the id to the saml message and signing it would prevent this. Chris -- PGP Fingerprint: 633B 47E1 B4AE 6184 2C83 E3DA B800 7BDD 038C 9060 ----- Original Message ----- From: "Jahan Moreh" <jmoreh@sigaba.com> To: "Christoph Riesenberger" <christoph.riesenberger@aon.at>; <saml-dev@lists.oasis-open.org> Sent: Wednesday, March 31, 2004 6:51 PM Subject: RE: [saml-dev] attributeexchange: where to add the receiver > Chris - > This is indeed a very good question. The general question is how do SAML > "consumers" and "producers" (in your example, the attribute consumer and the > identity provider respectively) know about various service end points and > other "metadata". This is subject of SAML 2.0 Metadata specification, which > is currently in draft form. This draft specification allows the attribute > consumer to specify one or more URLs at which it can consumer the attributes > (there is also provisions for designating one of the URLs as default). If > you are interested, you can review the draft at > http://www.oasis-open.org/apps/org/workgroup/security/download.php/6169/sstc > -saml-metadata-2.0-draft-02.pdf. Please note: this is a draft and represents > work in progress. > > Also note that metadata exchanged is independent of the SAML queries and > responses (preferably, metadata is exchanged prior to the query/response > communication and also exchanged much less frequently than regular SAML > query/response messages). > > Jahan > > > > ------ > Jahan Moreh > Chief Security Architect > 310.288.2141 > > -----Original Message----- > From: Christoph Riesenberger [mailto:christoph.riesenberger@aon.at] > Sent: Wednesday, March 31, 2004 5:15 AM > To: saml-dev@lists.oasis-open.org > Subject: [saml-dev] attributeexchange: where to add the receiver > > > Hi, > > I am working on an attribute exchange of 2 providers about a user. The > "serviceprovider" sends an attributequery to the "identityprovider". > The identityprovider checks, if the serviceprovider is allowed to get the > attributes and sends back an attributestatement. But how does he know where > to send it back, if there is no providerid oder url of the serviceprovider > intended in an attributequery? > > Is there a way where to add this information in a SAML query? > > Thanks, > Chris > -- > PGP Fingerprint: 633B 47E1 B4AE 6184 2C83 E3DA B800 7BDD 038C 9060 > > > To unsubscribe from this list, send a post to > saml-dev-unsubscribe@lists.oasis-open.org, or visit > http://www.oasis-open.org/mlmanage/. > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]