[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile
Thanks! See response inline ####. Regards, Kunal Gandhi ----- Original Message ----- From: "Tom Scavo" <trscavo@gmail.com> To: "Kunal Gandhi" <kunal@amsoft.net> Cc: <saml-dev@lists.oasis-open.org> Sent: Friday, October 21, 2005 6:05 PM Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote: > > Shouldn't the SP extract the > SourceID and EndPointIndex from the artifact and do a metadata lookup > to determine the artifact resolution endpoint location at the IdP? > > ##### > For this the SourceID should either be resolvable or be mapped to a URI > from > where Metadata can be looked up. > Since the SourceID (within the artifact) is limited in length, it can't be > a > resolvable identifier as I am building the service based on XRI > (Extensible > Resource > Identifier) which can be longer. I can only reach IDP's metadata if I know > its XRI. I resolve the XRI to get its Metadata End Point. For this reason > I > need to discover the IDP upon receiving an Artifact. > > Also, mapping a SourceID to a URI requires a priori arrangement which is > not desired. > ##### In practice, the SourceID is the SHA-1 hash of the providerId (see section 3.6.4.2 of [SAML2Bind]). On the SP end, the SHA-1 hashes of all the providerIds in metadata are pre-computed and stored, or hashed in real time and compared one by one to the SourceID. In either case, the issuing IdP becomes known. #### Kunal wrote: ##### True. Just that it is not desired in our case to have such arrangement that requires SP and IdP to exchange such info apriori. All discovery is based on XRI Resolution. #################### Hope this helps, Tom --------------------------------------------------------------------- This publicly archived list supports open discussion on implementing the SAML OASIS Standard. To minimize spam in the archives, you must subscribe before posting. [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ Alternately, using email: list-[un]subscribe@lists.oasis-open.org List archives: http://lists.oasis-open.org/archives/saml-dev/ Committee homepage: http://www.oasis-open.org/committees/security/ List Guidelines: http://www.oasis-open.org/maillists/guidelines.php Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]