Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile

[Tom Scavo <trscavo@gmail.com>]

On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote:
>
> Shouldn't the SP extract the
> SourceID and EndPointIndex from the artifact and do a metadata lookup
> to determine the artifact resolution endpoint location at the IdP?
>
> #####
> For this the SourceID should either be resolvable or be mapped to a URI from
> where Metadata can be looked up.
> Since the SourceID (within the artifact) is limited in length, it can't be a
> resolvable identifier as I am building the service based on XRI (Extensible
> Resource
> Identifier) which can be longer. I can only reach IDP's metadata if I know
> its XRI. I resolve the XRI to get its Metadata End Point. For this reason I
> need to discover the IDP upon receiving an Artifact.
>
> Also, mapping a SourceID  to a URI requires a priori arrangement which is
> not desired.
> #####

In practice, the SourceID is the SHA-1 hash of the providerId (see
section 3.6.4.2 of [SAML2Bind]).  On the SP end, the SHA-1 hashes of
all the providerIds in metadata are pre-computed and stored, or hashed
in real time and compared one by one to the SourceID.  In either case,
the issuing IdP becomes known.

Hope this helps,
Tom