[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Distributed IDP model
> Instead I think what's needed is a lightweight SOAP request > through which a IDP can ask a proxy to generate an > assertion/artifact pair on its behalf. The response would be > a SAML artifact. This request/response should ideally be > part of the SAML standard protocols. Only if you expect independent implementations. This still looks like an IdP implementation strategy (and not one I understand), which could be internal to any IdP. I could insert arbitrary SOAP remoting inside virtually any piece of any software; that doesn't make it a good idea though, or imply that every standard decompose itself to allow for that. > Of course this begs the question of how the identity of the > original IDP should be reflected in the SAML assertion. It > seems to me the standard assertion schema may need to be > extended to accommodate an additional element for this purpose. I don't think so. It's out of band (or in metadata, etc.) what constitutes an appropriate public key for an IdP to use. Or multiple such keys. The identity of the assertion issuer is not a certificate subject, it's an entityID. I don't see multiple SAML entities here, I see one IdP that's just splitting itself internally. Unless you're really talking about separating the IdP across security domains, which would be something quite different, and starts to at least sound like proxying, but in proxying, both links in the chain are full SAML IdPs, and you don't want that (apparently). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]