Re: [saml-dev] attributeexchange: where to add the receiver

["Christoph Riesenberger" <christoph.riesenberger@aon.at>]

Thanks for your answers.
I am working with SAML 1.1, so SAML 2.0 metadata specification is out of
scope.
My situation is, that its no problem to get the URL of a serviceprovider
when I know which sp to take.
The problem is, that there could me more than one serviceproviders, each one
identified by a id.
When having the id, I can get the url by looking it up in a database.
But how do I get the id? In a response, there is an "issuer" field, but in a
request?
Is there no way to get the id of the serviceprovider in the SAML message?
If I send the response with the attributes back to the URL of the
HTTP-request, isn't there the vulnerability of faking the URL and getting
the attibutes to the wrong receiver?
Adding the id to the saml message and signing it would prevent this.

Chris
--
PGP Fingerprint: 633B 47E1 B4AE 6184 2C83  E3DA B800 7BDD 038C 9060
----- Original Message ----- 
From: "Jahan Moreh" <jmoreh@sigaba.com>
To: "Christoph Riesenberger" <christoph.riesenberger@aon.at>;
<saml-dev@lists.oasis-open.org>
Sent: Wednesday, March 31, 2004 6:51 PM
Subject: RE: [saml-dev] attributeexchange: where to add the receiver


> Chris -
> This is indeed a very good question. The general question is how do SAML
> "consumers" and "producers" (in your example, the attribute consumer and
the
> identity provider respectively) know about various service end points and
> other "metadata". This is subject of SAML 2.0 Metadata specification,
which
> is currently in draft form. This draft specification allows the attribute
> consumer to specify one or more URLs at which it can consumer the
attributes
> (there is also provisions for designating one of the URLs as default). If
> you are interested, you can review the draft at
>
http://www.oasis-open.org/apps/org/workgroup/security/download.php/6169/sstc
> -saml-metadata-2.0-draft-02.pdf. Please note: this is a draft and
represents
> work in progress.
>
> Also note that metadata exchanged is independent of the SAML queries and
> responses (preferably, metadata is exchanged prior to the query/response
> communication and also exchanged much less frequently than regular SAML
> query/response messages).
>
> Jahan
>
>
>
> ------
> Jahan Moreh
> Chief Security Architect
> 310.288.2141
>
> -----Original Message-----
> From: Christoph Riesenberger [mailto:christoph.riesenberger@aon.at]
> Sent: Wednesday, March 31, 2004 5:15 AM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] attributeexchange: where to add the receiver
>
>
> Hi,
>
> I am working on an attribute exchange of 2 providers about a user. The
> "serviceprovider" sends an attributequery to the "identityprovider".
> The identityprovider checks, if the serviceprovider is allowed to get the
> attributes and sends back an attributestatement. But how does he know
where
> to send it back, if there is no providerid oder url of the serviceprovider
> intended in an attributequery?
>
> Is there a way where to add this information in a SAML query?
>
> Thanks,
> Chris
> --
> PGP Fingerprint: 633B 47E1 B4AE 6184 2C83  E3DA B800 7BDD 038C 9060
>
>
> To unsubscribe from this list, send a post to
> saml-dev-unsubscribe@lists.oasis-open.org, or visit
> http://www.oasis-open.org/mlmanage/.
>
>
>
>