FW: [security-services] DDDS RFCs, Liberty and SAML Metadata exchange protocol

["Jahan Moreh" <jmoreh@sigaba.com>]

Peter Davis me sent me a very important clarification. Please see below.

Thanks,
Jahan
-----Original Message-----
From: Peter C Davis [mailto:peter.davis@neustar.biz]
Sent: Monday, September 22, 2003 7:12 AM
To: jmoreh@sigaba.com
Subject: Re: [security-services] DDDS RFCs, Liberty and SAML Metadata
exchange protocol


One clarification, which i think is usefull, esp. w/larger enterprises...

Jahan Moreh wrote:

<snip/>

>
>
> Assume a providerID URI of http://sigaba.com/saml/consumer/cs. We can
> have a regular expression and replacement string like:
>
>
!^([^:/?#]+:)?/*([^:/?#]*@)?(([^/?:#]*\.)*(([^/?#:\.]+)\.([^/?#:\.]+)))(:\d+
)?([^?#]*)(\?[^#]*)?(#.*)?$!\3!
>
> Basically, this expression extracts the FQDN (i.e., sigaba.com), which
> is "subexpression" #3. The FQDN is used as the "replacement" string.
> Next, the requestor performs a DNS NAPTR query to the domain
> sigaba.com. It may get back something like this:
>
> !^.*$!https://sigaba.com/metadata/cs/consumer.xml!
>
> Basically, the above says "replace your data with
> https://sigaba.com/metadata/cs/consumer.xml";. DDDS and NAPTR provide a
> way to tell the requestor if the replacement string is "terminal" or
> not. This is accomplished using a flag (not shown in the examples).
>

DDDS NAPTR expressions also allow for publishing multiple providerID
metadata locations with a single relacement string in the DNS. For example:

assuming two providerID's:


	http://sigaba.com/saml/consumer/cs
	http://sigaba.com/saml/producer/cs

and the regex:

	!^.*(producer|consumer)/cs$!https://sigaba.com/metadata/cs/\\1\.xml!

thus reducing the number of entries in the zone for this purpose (when
carefully thought-out) to one, but allowing essentially unlimited
providerID entities.

(BTW: this mail will bounce to the SSTC mailinglist.  so, I replied only
to you. Feel free to repost to the mailing list.)

--- peterd