OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile

Thanks! See response inline ####.

Regards,

Kunal Gandhi

----- Original Message ----- 
From: "Tom Scavo" <trscavo@gmail.com>
To: "Kunal Gandhi" <kunal@amsoft.net>
Cc: <saml-dev@lists.oasis-open.org>
Sent: Friday, October 21, 2005 6:05 PM
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile


On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote:
>
> Shouldn't the SP extract the
> SourceID and EndPointIndex from the artifact and do a metadata lookup
> to determine the artifact resolution endpoint location at the IdP?
>
> #####
> For this the SourceID should either be resolvable or be mapped to a URI 
> from
> where Metadata can be looked up.
> Since the SourceID (within the artifact) is limited in length, it can't be 
> a
> resolvable identifier as I am building the service based on XRI 
> (Extensible
> Resource
> Identifier) which can be longer. I can only reach IDP's metadata if I know
> its XRI. I resolve the XRI to get its Metadata End Point. For this reason 
> I
> need to discover the IDP upon receiving an Artifact.
>
> Also, mapping a SourceID  to a URI requires a priori arrangement which is
> not desired.
> #####

In practice, the SourceID is the SHA-1 hash of the providerId (see
section 3.6.4.2 of [SAML2Bind]).  On the SP end, the SHA-1 hashes of
all the providerIds in metadata are pre-computed and stored, or hashed
in real time and compared one by one to the SourceID.  In either case,
the issuing IdP becomes known.

#### Kunal wrote: #####
True. Just that it is not desired in our case to have such arrangement that 
requires SP and IdP to exchange such info apriori. All discovery is based on 
XRI Resolution.
####################

Hope this helps,
Tom

---------------------------------------------------------------------
This publicly archived list supports open discussion on implementing the 
SAML OASIS Standard. To minimize spam in the
archives, you must subscribe before posting.

[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
Alternately, using email: list-[un]subscribe@lists.oasis-open.org
List archives: http://lists.oasis-open.org/archives/saml-dev/
Committee homepage: http://www.oasis-open.org/committees/security/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]