OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL




Mishra, Prateek wrote on 8/25/2004, 12:44 PM:

I am puzzled by the occurrence of these two fields in an AuthNRequest. At the minimum there appears to be some redundancy here: Why isn’t it always enough to set
AssertionConsumerURL to the right value?

The expectation is that neither of these are specified most of the time (making the request smaller).  The issue is mostly around keeping the request as small as possible so that it can (hopefully) be included in a browser redirect URL. 

So, in the case where it wasn't specified, the value would come from the MetaData.

If one URL isn't enough, the Provider can put multiple URLs in the metadata and use the AssertionConsumerServiceIndex to point to the appropriate URL.   With a long name like "AssertionConsumerServiceIndex" (rather than something like ACSIdx), I'm not sure how much space you save by using an index than a URL, but that isn't my call.

If the provider doesn't want to do MetaData, it can place the actual URL on the request.

In addition,  using metadata has the potential to be more secure/trusted (i.e. if the metadata is signed by some higher authority than  the requestor).

And a final note, if you do include the AssertionConsumerURL, I think the request has to be signed.   With the other methods, it is more easily accepted without a signature.

Hope this helps.

Conor



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]