OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile


Thanks Tom! Please see resonses inline below ###.

----- Original Message ----- 
From: "Tom Scavo" <trscavo@gmail.com>
To: "Kunal Gandhi" <kunal@amsoft.net>
Cc: <saml-dev@lists.oasis-open.org>
Sent: Thursday, October 20, 2005 7:38 PM
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile


On 10/20/05, Kunal Gandhi <kunal@amsoft.net> wrote:
>
> I have implemented Redirect-Artifact Profile for authentication.

Since you mention "common domain" below, I assume you're talking about SAML 
2.0.

###
Yes.
###
> 1. Upon verification of credentials, IDP does a redirect to the SP with a
> SAML Artifact
>
> 2. During the redirect, the IDP drops a common domain cookie on user's
> machine. The name of this cookie is the same as the 'ProviderID' in the 
> SAML
> Artifact and its value is an identifier which can be resolved (by the SP) 
> to
> get IDP's Artifact Resolution Service?

I think you're mixing apples and oranges here.  Let's ignore the
common domain cookie for a moment.  Shouldn't the SP extract the
SourceID and EndPointIndex from the artifact and do a metadata lookup
to determine the artifact resolution endpoint location at the IdP?

#####
For this the SourceID should either be resolvable or be mapped to a URI from 
where Metadata can be looked up.
Since the SourceID (within the artifact) is limited in length, it can't be a 
resolvable identifier as I am building the service based on XRI (Extensible 
Resource
Identifier) which can be longer. I can only reach IDP's metadata if I know 
its XRI. I resolve the XRI to get its Metadata End Point. For this reason I 
need to discover the IDP upon receiving an Artifact.

Also, mapping a SourceID  to a URI requires a priori arrangement which is 
not desired.
#####

> 2b. Can I just put the value of the cookie as the URI of the IDP's 
> Artifact
> Resolution Service? This would save a step to resolve IDP's identifier. Is
> there any restriction as to what value the cookie can have?

The common domain cookie is for IdP discovery, not artifact
resolution, so I'm not sure what you're trying to do here.  I must be
missing something.

####
For the above mentioned reason.
####
Tom




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]