OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile

Tom Scavo wrote:

>On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote:
>  
>
>>Shouldn't the SP extract the
>>SourceID and EndPointIndex from the artifact and do a metadata lookup
>>to determine the artifact resolution endpoint location at the IdP?
>>
>>#####
>>For this the SourceID should either be resolvable or be mapped to a URI from
>>where Metadata can be looked up.
>>Since the SourceID (within the artifact) is limited in length, it can't be a
>>resolvable identifier as I am building the service based on XRI (Extensible
>>Resource
>>Identifier) which can be longer. I can only reach IDP's metadata if I know
>>its XRI. I resolve the XRI to get its Metadata End Point. For this reason I
>>need to discover the IDP upon receiving an Artifact.
>>
>>Also, mapping a SourceID  to a URI requires a priori arrangement which is
>>not desired.
>>#####
>>    
>>
>
>In practice, the SourceID is the SHA-1 hash of the providerId (see
>section 3.6.4.2 of [SAML2Bind]).  On the SP end, the SHA-1 hashes of
>all the providerIds in metadata are pre-computed and stored, or hashed
>in real time and compared one by one to the SourceID.  In either case,
>the issuing IdP becomes known.
>
>Hope this helps,
>Tom
>
>---------------------------------------------------------------------
>This publicly archived list supports open discussion on implementing the SAML OASIS Standard. To minimize spam in the
>archives, you must subscribe before posting.
>
>[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>Alternately, using email: list-[un]subscribe@lists.oasis-open.org
>List archives: http://lists.oasis-open.org/archives/saml-dev/
>Committee homepage: http://www.oasis-open.org/committees/security/
>List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>Join OASIS: http://www.oasis-open.org/join/
>
>
>  
>
Kunal,

Why you are using XRIs to compute a reference to provider metadata ? Any 
special use case that you are working on ? The standard practice as Tom 
said is to use the SHA1 hash of the provider ID as the succinct Id that 
is unique across a particular domain.

Prasad.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]