OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Use of Provider ID in Redirect-Artifact Profile

> I believe getting CDC is implementation specific and not dictated by SAML
> except the name should be _saml_idp and that it should be marked secure (i
> might be missing something more but nothing that is substantial to impact
> what is written below).

You're correct, it is only a minimal set of requirements because the use of
the cookie is mostly out of scope.

> How I have though about it is that, there can be 2 domains with same
> base domain, say sp.commondomain.com and idp.commondomain.com.

How can you force all your apparently disjoint participants to use that one
domain? Who runs it? If they truly don't know each other to start with, then
why would they use this domain?

It just seems like if you can actually use a common domain, you don't really
need the kind of discoverability you're assuming you need. You can even
centralize the distribution of signed metadata just as easily as setting all
this up, and then you don't have to worry about "unknown" IdPs. This is
basically how a typical Shibboleth federation works.

As far as the rest goes, I'm not saying it won't work, I'm just saying that
it's not part of the standard, and that means you don't have any interop. If
you're going to provide all the software at both ends, it doesn't really
matter what you do.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]