OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile


----- Original Message ----- 
From: "Prasad" <prasad.shenoy@gmail.com>
To: "Kunal Gandhi" <kunal@amsoft.net>
Cc: <saml-dev@lists.oasis-open.org>
Sent: Friday, October 21, 2005 6:56 PM
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile


> Tom Scavo wrote:
>
>>On 10/21/05, Kunal Gandhi <kunal@amsoft.net> wrote:
>>
>>>Shouldn't the SP extract the
>>>SourceID and EndPointIndex from the artifact and do a metadata lookup
>>>to determine the artifact resolution endpoint location at the IdP?
>>>
>>>#####
>>>For this the SourceID should either be resolvable or be mapped to a URI 
>>>from
>>>where Metadata can be looked up.
>>>Since the SourceID (within the artifact) is limited in length, it can't 
>>>be a
>>>resolvable identifier as I am building the service based on XRI 
>>>(Extensible
>>>Resource
>>>Identifier) which can be longer. I can only reach IDP's metadata if I 
>>>know
>>>its XRI. I resolve the XRI to get its Metadata End Point. For this reason 
>>>I
>>>need to discover the IDP upon receiving an Artifact.
>>>
>>>Also, mapping a SourceID  to a URI requires a priori arrangement which is
>>>not desired.
>>>#####
>>>
>>
>>In practice, the SourceID is the SHA-1 hash of the providerId (see
>>section 3.6.4.2 of [SAML2Bind]).  On the SP end, the SHA-1 hashes of
>>all the providerIds in metadata are pre-computed and stored, or hashed
>>in real time and compared one by one to the SourceID.  In either case,
>>the issuing IdP becomes known.
>>
>>Hope this helps,
>>Tom
>>
>>---------------------------------------------------------------------
>>This publicly archived list supports open discussion on implementing the 
>>SAML OASIS Standard. To minimize spam in the
>>archives, you must subscribe before posting.
>>
>>[Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
>>Alternately, using email: list-[un]subscribe@lists.oasis-open.org
>>List archives: http://lists.oasis-open.org/archives/saml-dev/
>>Committee homepage: http://www.oasis-open.org/committees/security/
>>List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>>Join OASIS: http://www.oasis-open.org/join/
>>
>>
>>
> Kunal,
>
> Why you are using XRIs to compute a reference to provider metadata ? Any 
> special use case that you are working on ? The standard practice as Tom 
> said is to use the SHA1 hash of the provider ID as the succinct Id that is 
> unique across a particular domain.
>
> Prasad.

#### Kunal wrote: ####
Thank you Prasad! See response to Tom's mail earlier.
###################

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]