[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Web SSO <AuthnRequest> conformance
> Here's a very trivial request (ids are very short) that is > around 800 chars (base 64 encoding and url encoding will add 33%, and make > this around 1150chars). I guess dig sig is not really required (that would > increase size drastically). Well, that isn't optimized, I can see several things that aren't needed there. But yes, the goal was to insure that a commonly used minimal subset of messages would fit, not that everything would. > The request can also have SubjectConfirmation, Conditions, AuthContext > stuff, IsPassive, ForceAuthn, AssertionConsumerServiceIndex and URL, > ProviderName, etc... which can hit a 2k limit. Note that conditions, SubjectConfirmation, etc are unlikely to be used in the browser SSO use case. They're legal, yes, but not common. We included them because it facilitated a more uniform way of addressing SSO across other use cases. But I think we both agree that there should be a MTI binding for this that does support *any* message allowed. And POST is IMHO the simpler of the two bindings that supports this, although I've always been biased on that issue. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]