[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile
----- Original Message ----- From: "Prasad" <prasad.shenoy@gmail.com> To: "Kunal Gandhi" <kunal@amsoft.net> Cc: <saml-dev@lists.oasis-open.org> Sent: Friday, October 21, 2005 6:56 PM Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile > Tom Scavo wrote: > >>On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote: >> >>>Shouldn't the SP extract the >>>SourceID and EndPointIndex from the artifact and do a metadata lookup >>>to determine the artifact resolution endpoint location at the IdP? >>> >>>##### >>>For this the SourceID should either be resolvable or be mapped to a URI >>>from >>>where Metadata can be looked up. >>>Since the SourceID (within the artifact) is limited in length, it can't >>>be a >>>resolvable identifier as I am building the service based on XRI >>>(Extensible >>>Resource >>>Identifier) which can be longer. I can only reach IDP's metadata if I >>>know >>>its XRI. I resolve the XRI to get its Metadata End Point. For this reason >>>I >>>need to discover the IDP upon receiving an Artifact. >>> >>>Also, mapping a SourceID to a URI requires a priori arrangement which is >>>not desired. >>>##### >>> >> >>In practice, the SourceID is the SHA-1 hash of the providerId (see >>section 3.6.4.2 of [SAML2Bind]). On the SP end, the SHA-1 hashes of >>all the providerIds in metadata are pre-computed and stored, or hashed >>in real time and compared one by one to the SourceID. In either case, >>the issuing IdP becomes known. >> >>Hope this helps, >>Tom >> >>--------------------------------------------------------------------- >>This publicly archived list supports open discussion on implementing the >>SAML OASIS Standard. To minimize spam in the >>archives, you must subscribe before posting. >> >>[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ >>Alternately, using email: list-[un]subscribe@lists.oasis-open.org >>List archives: http://lists.oasis-open.org/archives/saml-dev/ >>Committee homepage: http://www.oasis-open.org/committees/security/ >>List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >>Join OASIS: http://www.oasis-open.org/join/ >> >> >> > Kunal, > > Why you are using XRIs to compute a reference to provider metadata ? Any > special use case that you are working on ? The standard practice as Tom > said is to use the SHA1 hash of the provider ID as the succinct Id that is > unique across a particular domain. > > Prasad. #### Kunal wrote: #### Thank you Prasad! See response to Tom's mail earlier. ###################
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]