[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: acquiring | dereferencing an assertion using an artifact
regarding the saml 1.1 web sso browser/artifact profile (oasis-sstc-saml-bindings-1.1.pdf), i am curious to know what is the best practice among implementors in this forum in regards to acquiring | dereferencing an assertion given an artifact? possible approaches are: 1. the source site generates the assertion first then creates an associated artifact and sends the artifact to an artifact reciever service at the destination site; the artifact reciever service acquires the previously-created assertion from the source site. 2. the source site generates only an artifact and sends the artifact to an artifact reciever service at the destination site; the artifact reciever service sends a saml request (containing the artifact) to the source site and the source site generates an assertion there and then (on the fly); which it sends back to the artifact receiver service in a saml response. my questions are: a. approach #1 assumes some kind of persistence mechanism (in-memory cache, file-system serialization, rdbms, etc...); please, can anybody share the pros and cons of this approach and the different possible persistence mechanisms? b. approach #2 strikes me as both the simplest to implement and more performant than, say, an rdbms persistence approach; if you've used this approach, what are the real-world trade-offs? many thanks, will
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]