[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile
On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote: > > Shouldn't the SP extract the > SourceID and EndPointIndex from the artifact and do a metadata lookup > to determine the artifact resolution endpoint location at the IdP? > > ##### > For this the SourceID should either be resolvable or be mapped to a URI from > where Metadata can be looked up. > Since the SourceID (within the artifact) is limited in length, it can't be a > resolvable identifier as I am building the service based on XRI (Extensible > Resource > Identifier) which can be longer. I can only reach IDP's metadata if I know > its XRI. I resolve the XRI to get its Metadata End Point. For this reason I > need to discover the IDP upon receiving an Artifact. > > Also, mapping a SourceID to a URI requires a priori arrangement which is > not desired. > ##### In practice, the SourceID is the SHA-1 hash of the providerId (see section 3.6.4.2 of [SAML2Bind]). On the SP end, the SHA-1 hashes of all the providerIds in metadata are pre-computed and stored, or hashed in real time and compared one by one to the SourceID. In either case, the issuing IdP becomes known. Hope this helps, Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]