[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Réf. : Re: [saml-dev] Load balancing with SAML2
On Thu, Apr 17, 2008 at 9:25 AM, <valerie.bauche@bull.net> wrote: > > Thanks for your response : it seems to be a good solution for my problem, > but it's just a draft an it's quite old (september 2006) : will it become a > standard at the end ? I added links to the most recent documents on the wiki page. It's a Committee Specification now. As a prerequisite to become an OASIS Standard, three OASIS members must attest to have implemented the spec. I know of only one (Shibboleth 2.0 @ Internet2). If two more members come forward, the standardization process may proceed. > I've got another problem on the same subject : > Using your solution the SP will receive an unsolicited response and will be > able to process it. But the relaystate information it will receive has been > generated by another SP and has no sense for the actual recipient. > In my particular case the relay state allows the SP to know the precise URL > asked by the user agent at the begining of the process and then allow the SP > to redirect correctly the user after completing the authentication process. > So I can authenticate correctly the user but I loose the original context of > it's request and don't know what to do.... > > Valérie > > > > "Tom Scavo" <trscavo@gmail.com> > > 17/04/2008 14:17 > > Pour : valerie.bauche@bull.net > cc : saml-dev@lists.oasis-open.org > Objet : Re: [saml-dev] Load balancing with SAML2 > > > > Perhaps this is a use case for <thrpty:RespondTo> as described in this spec: > > http://wiki.oasis-open.org/security/ProtocolExtThirdParty > > Hope this helps, > Tom > > On Thu, Apr 17, 2008 at 8:01 AM, <valerie.bauche@bull.net> wrote: > > > > I want to protect an application which is load balanced. So I have > multiple > > instance of the application and then multiple instances of the SAML > Service > > Provider. > > From the external, only 1 URL is known and its the load balancer job to > tell > > to which server it will be sent. > > If the SP redirect the user to an IDP with an authnrequest, the IDP will > > send the response to the SP URL (the same for all SPs), but the load > > balancer can decide to send this response to any SP available. > > So a SP can receive a response intended for another one.... > > Does anybody have already think about this kind of problem ? > > > > Valerie > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]