OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] "Target" URL's longer that 80 bytes? (was: RE: [saml-dev] SAML 1.1 Artifact Profile -> SAML 2.0 - missing TARGET attribute)


Since it is normally an SP that creates the relay state which it then
looks at when it comes back from the IDP, you could avoid sending the
entire URL as RelayState by saving it in a table and sending a short
handle as the RelayState.  When the handle comes back to the SP, just
look up the associated saved value.  Of course, this means maintaining
(presumably short-lived) state at the SP, but that's one alternative.

The use of RelayState on an IDP-initiated SSO isn't prescribed by SAML.
Some products do transfer a TARGET-style URL as the RelayState in those
scenarios.  But it is definitely limited to 80 bytes and, of course,
solutions such as what I described above wouldn't work. 

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email: rphilpott@rsasecurity.com
I-name:  =Rob.Philpott


> -----Original Message-----
> From: Brian Nielsen [mailto:brian@itst.dk]
> Sent: Monday, December 12, 2005 2:54 PM
> To: 'saml-dev@lists.oasis-open.org '
> Subject: [saml-dev] "Target" URL's longer that 80 bytes? (was: RE:
[saml-
> dev] SAML 1.1 Artifact Profile -> SAML 2.0 - missing TARGET attribute)
> 
> Thank you Scott and all others that replied.
> 
> I have a basic followup question, based on IdP first:
> 
> Should i read the answer as if there is NO way in SAML 2.0 to send a
> "target" with a URL longer than 80 bytes (I know that relaystate does
not
> allow for it). This would mean that for services with URL's longer
than 80
> bytes I will have to make an alias URL, that fx. could be based on a
> rewrite?
> 
> 
> Best regards
> Brian Nielsen
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: Scott Cantor
> To: Brian Nielsen; saml-dev@lists.oasis-open.org
> Sent: 11/18/2005 5:38 PM
> Subject: RE: [saml-dev] SAML 1.1 Artifact Profile -> SAML 2.0 -
missing
> TARGET attribute
> 
> > This seems to have been replaced by some other mechanisme in SAML
2.0,
> the
> > interop paper [2] has a description the might lead me to conclude
that
> > relaystate could do the same for me "5.4 idP-Site-First Use Case
> > Requirements":
> 
> It does the same thing as long as the URL fits into 80 bytes. In
> practice,
> 2.0 encourages an SP-first design, or would tend to push the SP to
> define
> default locations to send users who enter unsolicited.
> 
> > Could someone please direct me a resource that describes how to this
> in
> SAML
> > 2.0.
> 
> I'm not sure what you're looking for, the profile, bindings, and core
> specs
> collectively define the system. If you want implementers guidelines,
> they
> don't exist yet.
> 
> -- Scott
> 
> ---------------------------------------------------------------------
> This publicly archived list supports open discussion on implementing
the
> SAML OASIS Standard. To minimize spam in the
> archives, you must subscribe before posting.
> 
> [Un]Subscribe/change address: http://www.oasis-open.org/mlmanage/
> Alternately, using email: list-[un]subscribe@lists.oasis-open.org
> List archives: http://lists.oasis-open.org/archives/saml-dev/
> Committee homepage: http://www.oasis-open.org/committees/security/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Join OASIS: http://www.oasis-open.org/join/



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]