[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile
Please see response inline #####. Regards, Kunal Gandhi ----- Original Message ----- From: "Scott Cantor" <cantor.2@osu.edu> To: "'Kunal Gandhi'" <kunal@amsoft.net> Cc: <saml-dev@lists.oasis-open.org> Sent: Friday, October 21, 2005 8:17 PM Subject: RE: [saml-dev] Use of Provider ID in Redirect-Artifact Profile >> But again, this requires SP to know beforehand that so and so IDP has so > and >> so ProviderID, which is not desired. > > This wasn't a use case for the TC and I don't think the specs really > support > it at this stage. But I guess one piece of advice would be to dump > artifact. > If you really want to do this dynamically (and I think you're going to > find > that becomes very difficult in practice), then use POST. ####### Kunal wrote: ########## I did that earlier but it wasn't well received for the want of better user experience by limiting the role of JavaScript. ############################ > >> I am trying to avoid this step. I'd >> like a self-arranging implementation where services are discovered using > XRI >> Resolution Only and not by out of band exchange (as far as feasible). >> This > >> is important. This is the reason why I want to discover the IDP using a >> common domain cookie upon recceiving SAML Artifact. > > A common domain usually assumes prior set up so that the entities all have > a > presence in the domain. It runs counter to your use case. It's also in > conflict because if the SP uses the CDC to decide what IdP to use, then > obviously it *knows* about the IdP. So you'd have the providerId. > ###### Kunal wrote: ####### I believe getting CDC is implementation specific and not dictated by SAML except the name should be _saml_idp and that it should be marked secure (i might be missing something more but nothing that is substantial to impact what is written below). How I have though about it is that, there can be 2 domains with same common base domain, say sp.commondomain.com and idp.commondomain.com. SPs and IDPs would just need to know about their respective (persistent) sub-domains beforehand. There could be just one sp.commondomain.com which serves all SPs and one ip.commondomain.com which servels all IDPs. 1. IDP redirects (with returns URL) to idp.commondomain.com with their XRI as request parameter, which the idp.commondomain.com appends to the list of values of the CDC. 2. IDP then redirects to the SP with SAML Artifact 3. SP, upon receiving SAML Artifact, redirects (with return URL) to sp.commondomain.com which reads the CDC and returns the last appended value, an XRI of an IDP, to it on the return URL [Ansolutely no thought went in here about dealing with synchronization issues w.r.t multiple simultaneous requests to/from multiple sources] 4. SP has the XRI. It uses the SAML Artifact just as a message handle. No independent use of SourceID. ######################## > -- Scott > > > --------------------------------------------------------------------- > This publicly archived list supports open discussion on implementing the > SAML OASIS Standard. To minimize spam in the > archives, you must subscribe before posting. > > [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/ > Alternately, using email: list-[un]subscribe@lists.oasis-open.org > List archives: http://lists.oasis-open.org/archives/saml-dev/ > Committee homepage: http://www.oasis-open.org/committees/security/ > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Join OASIS: http://www.oasis-open.org/join/ > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]