RE: [security-services] Groups -sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded

[Scott Cantor <cantor.2@osu.edu>]

Taking a whack myself...

> (1) Why include the DNS proposal, what is the motivation, 
> scenarios driving this to be included ? Will anyone implement ?

As opposed to the well known URL way? Both use DNS.

The motivation for me is URNs, because they're one way of controlling the
provider identifier "namespace" among a set of parties.

Since some of the Liberty implementers are implementing it, the obvious
answer to the second question is yes.

> (2) How does one find out the "well known URL" ? Do I assume 
> that the URL may not be the resource but may inquire against 
> something else ? Are there length restrictions ? What is the 
> assumed response from the URL ?

The URL *is* the provider's identifier, directly. The Issuer of assertions
from that provider might be "http://identityprovider.com/saml2"; for example.
You hit that URL, you get the metadata document.

This isn't rocket science, or am I missing something?

> (3) Is there just 1 "well known URL" per service end point ?

It's one per uniquely identified entity in a set of parties. It's not about
service end points, that's what's in the metadata.

> (4) if I don't know the service end point how do I find the  
> "well known URL" ?

The URL is only well known in the sense that if you know the provider's
unique identifier, you know the URL by definition. It's not magically known
just because you have a vague notion of who you want to know about, that's
what UDDI and its ilk are good for.

-- Scott