OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Use of Provider ID in Redirect-Artifact Profile

----- Original Message ----- 
From: "Scott Cantor" <cantor.2@osu.edu>
To: "'Kunal Gandhi'" <kunal@amsoft.net>
Cc: <saml-dev@lists.oasis-open.org>
Sent: Saturday, October 22, 2005 12:07 AM
Subject: RE: [saml-dev] Use of Provider ID in Redirect-Artifact Profile

>> I believe getting CDC is implementation specific and not dictated by SAML
>> except the name should be _saml_idp and that it should be marked secure 
>> (i
>> might be missing something more but nothing that is substantial to impact
>> what is written below).
> You're correct, it is only a minimal set of requirements because the use 
> of
> the cookie is mostly out of scope.
>> How I have though about it is that, there can be 2 domains with same
> common
>> base domain, say sp.commondomain.com and idp.commondomain.com.
> How can you force all your apparently disjoint participants to use that 
> one
> domain? Who runs it? If they truly don't know each other to start with, 
> then
> why would they use this domain?
> It just seems like if you can actually use a common domain, you don't 
> really
> need the kind of discoverability you're assuming you need. You can even
> centralize the distribution of signed metadata just as easily as setting 
> all
> this up, and then you don't have to worry about "unknown" IdPs. This is
> basically how a typical Shibboleth federation works.
> As far as the rest goes, I'm not saying it won't work, I'm just saying 
> that
> it's not part of the standard, and that means you don't have any interop. 
> If
> you're going to provide all the software at both ends, it doesn't really
> matter what you do.
Agreed on all counts here, Scott. Thanks!

What bothers me most about this design is to discover the IDP from whom the
SP has already received an Artifact. SP should simply be able to make out
who sent the Artifact. I have to figure out a way to use the SourceID.

I wasn't sure and thats why came to the list, which has tremendously helped.

Thanks again!

> -- Scott
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on implementing the 
> SAML OASIS Standard. To minimize spam in the
> archives, you must subscribe before posting.
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/saml-dev/
> Committee homepage: http://www.oasis-open.org/committees/security/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]