[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] RE: Is a separate "ArtifactReceiver" required?
FWIW: The Shibboleth flow uses two parameters, one called "target" and one called "shire". The shire parameter is the acceptance point at the target site which the source site would send the user back to once finished with local authentication. The target is the place the user wanted to go before being so rudely interrupted. It sounds like the Catalyst implementers were using the target to figure out what the shire-equivalent URL should be, and then were sending the user there without any further indication of where the user would then be sent. That obviously won't work as a general mechanism for "target-first" access. The POST profile specifically calls out the TARGET form element as being not the place where the assertion is posted but instead the resource the user should be sent to afterwards. This is consistent with Shib's usage (we copy the incoming target back out into the form verbatim). Also FWIW, we know of lots of important or useful extensions that we'd like to have available to provide more control, but have deferred that until we can approach it with some formalism, whether we adopt Liberty's approach, or perhaps contribute something to a SAML 1.1 discussion (my preference at the moment). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC