[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile
Tom Scavo wrote: >On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote: > > >>Shouldn't the SP extract the >>SourceID and EndPointIndex from the artifact and do a metadata lookup >>to determine the artifact resolution endpoint location at the IdP? >> >>##### >>For this the SourceID should either be resolvable or be mapped to a URI from >>where Metadata can be looked up. >>Since the SourceID (within the artifact) is limited in length, it can't be a >>resolvable identifier as I am building the service based on XRI (Extensible >>Resource >>Identifier) which can be longer. I can only reach IDP's metadata if I know >>its XRI. I resolve the XRI to get its Metadata End Point. For this reason I >>need to discover the IDP upon receiving an Artifact. >> >>Also, mapping a SourceID to a URI requires a priori arrangement which is >>not desired. >>##### >> >> > >In practice, the SourceID is the SHA-1 hash of the providerId (see >section 3.6.4.2 of [SAML2Bind]). On the SP end, the SHA-1 hashes of >all the providerIds in metadata are pre-computed and stored, or hashed >in real time and compared one by one to the SourceID. In either case, >the issuing IdP becomes known. > >Hope this helps, >Tom > >--------------------------------------------------------------------- >This publicly archived list supports open discussion on implementing the SAML OASIS Standard. To minimize spam in the >archives, you must subscribe before posting. > >[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ >Alternately, using email: list-[un]subscribe@lists.oasis-open.org >List archives: http://lists.oasis-open.org/archives/saml-dev/ >Committee homepage: http://www.oasis-open.org/committees/security/ >List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >Join OASIS: http://www.oasis-open.org/join/ > > > > Kunal, Why you are using XRIs to compute a reference to provider metadata ? Any special use case that you are working on ? The standard practice as Tom said is to use the SHA1 hash of the provider ID as the succinct Id that is unique across a particular domain. Prasad.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]