[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Use of Provider ID in Redirect-Artifact Profile
> I believe getting CDC is implementation specific and not dictated by SAML > except the name should be _saml_idp and that it should be marked secure (i > might be missing something more but nothing that is substantial to impact > what is written below). You're correct, it is only a minimal set of requirements because the use of the cookie is mostly out of scope. > How I have though about it is that, there can be 2 domains with same common > base domain, say sp.commondomain.com and idp.commondomain.com. How can you force all your apparently disjoint participants to use that one domain? Who runs it? If they truly don't know each other to start with, then why would they use this domain? It just seems like if you can actually use a common domain, you don't really need the kind of discoverability you're assuming you need. You can even centralize the distribution of signed metadata just as easily as setting all this up, and then you don't have to worry about "unknown" IdPs. This is basically how a typical Shibboleth federation works. As far as the rest goes, I'm not saying it won't work, I'm just saying that it's not part of the standard, and that means you don't have any interop. If you're going to provide all the software at both ends, it doesn't really matter what you do. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]