[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Web SSO <AuthnRequest> conformance
Greg, others, thanks. You are probably correct and it is not as bad. I had also included RelayState and implementation specific data in the redirection URLs I was attempting -- which added to the size of the request. Whether it's MTI is up to the group. Greg, Scott, just curious, you guys suggested the xml is not optimized, with the exception of the saml ns in 2 locations, and the Format of the issuer which is optional, everything else is as expected under normal conditions (i.e., consent is req'd and ID Federation is possible). Thanks, Tom. -----Original Message----- From: Greg Whitehead [mailto:grw@trustgenix.com] Sent: Tuesday, October 26, 2004 9:00 PM To: Thomas Wisniewski Cc: Mishra, Prateek; Scott Cantor; security-services@lists.oasis-open.org Subject: Re: [security-services] Web SSO <AuthnRequest> conformance On Oct 26, 2004, at 6:31 PM, Thomas Wisniewski wrote: > That was it exactly. Perhaps the size limits are fairly large > (typically > closer to 2k at least), and for conformance (and interop), only "small" > <AuthnRequest>s are handled. > > Here's a very trivial request (ids are very short) that is around 800 > chars > (base 64 encoding and url encoding will add 33%, and make this around > 1150 > chars). I guess dig sig is not really required (that would increase > size > drastically). You're forgetting the deflate encoding step. The actual numbers for your example are: <samlp:AuthnRequest Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_9494578B5BDA829CF967D5AAA5DFA158C2A85EEF" IssueInstant="2004-10-26T17:56:02Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" NameQualifier="" SPNameQualifier="" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> idp </saml:Issuer> <saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/> <samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="sp.company.com"/> </samlp:AuthnRequest> xml length=776 deflated length=366 base64=eJydkl9LwzAUxd/9FCE+r+nquq1hE7LVwcCJOhHxRWIat0ibxNyUbt/etCoK/ kOfAjeHe875cSfA q9JSVvutvpRPtQSP5kaD1H6Ka6ep4aCAal5JoF7QNVud0iSKqXgR0VqDlUI9KFlgtMyn+C4b ZIN0 NJ6ls5yNk2y+yIajPGWMpfmC9dPxPGHj9ORkEeQAtVxq8Lx1S+J40OvHvWR41R/ RdEjj5Baja+lA GR2+oxijXVVq+DmYdcYbYcpXMS2Cfuu9pYQ0TRM1R5FxGxLMYhJnJGgKUJvDN3WH428GO1Df OPTJ zep0Lbay4j3V1RQSHx9MWhPalXdoYVzFf2HdTlTRe+ikNFBXfo/RWZhe1Lxs2bspxmh9/ mn0Xupn Bw4gnQ+cQzyEVGEPJuRDyrfM6/r+UQr/ j7XkdYWlbcZlfm5KJfaIlaVp5k5yL6fYu1rifwCx7YmA D1y+YAA2EqayXO/bt8tBPt/88TOfzQYS base64 length=494 Of course, there are number of unnecessary attributes/elements in your example. Pruning those, I get: <samlp:AuthnRequest Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" ID="_9494578B5BDA829CF967D5AAA5DFA158C2A85EEF" IssueInstant="2004-10-26T17:56:02Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp</saml: Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="sp.company.com"/></samlp:AuthnRequest> xml length=521 deflated length=291 base64=eJydkU1rwzAMhv+K8b1tGuo2EU3ATRoobKP7YIddhkldZnBsz7LZ+u8Xt5fu0sFOA umV3kfSGsWg HfAYPsyT/IwSA2msQWlCRaM3YAUqBCMGiRB6eOb3d5BPM+gvIogGnezVUckDJbu2ou/ lolywVbFh m5YXedl05XLVMs45azs+Z0WT84Jtt90oR4xyZzCI5JZn2WIyzyb58mW+AraELH+j5FV6VNaM 5WlG yfegDcKZ+Tae8zbY3mpar5MazlaedNYP4o/NUkYdJsezFMYdVThdO9/ uFojSh5GY1urg1rMr9wuK g4exadfurVb9iXCt7VfjpQiyosFHSf8B6dKRMIyslDzv0/ zHKHR6iq8oumlvByfMKUU6qy9Qv59e /wCgK7Ei base64 length=393 Not to say that POST shouldn't be MTI, but I don't think the URL encoding is really as bad as you think it is. -Greg
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]