OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Réf. : Re: [saml-dev] Load balancing with SAML2

On Thu, Apr 17, 2008 at 9:25 AM,  <valerie.bauche@bull.net> wrote:
> Thanks for your response : it seems to be a good solution for my problem,
> but it's just a draft an it's quite old (september 2006) : will it become a
> standard at the end ?

I added links to the most recent documents on the wiki page.  It's a
Committee Specification now.  As a prerequisite to become an OASIS
Standard, three OASIS members must attest to have implemented the
spec.  I know of only one (Shibboleth 2.0 @ Internet2).  If two more
members come forward, the standardization process may proceed.

> I've got another problem on the same subject :
> Using your solution the SP will receive an unsolicited response and will be
> able to process it. But the relaystate information it will receive has been
> generated by another SP and has no sense for the actual recipient.
> In my particular case the relay state allows the SP to know the precise URL
> asked by the user agent at the begining of the process and then allow the SP
> to redirect correctly the user after completing the authentication process.
> So I can authenticate correctly the user but I loose the original context of
> it's request and don't know what to do....
>  Valérie
>  "Tom Scavo" <trscavo@gmail.com>
> 17/04/2008 14:17
>         Pour :        valerie.bauche@bull.net
>         cc :        saml-dev@lists.oasis-open.org
>         Objet :        Re: [saml-dev] Load balancing with SAML2
> Perhaps this is a use case for <thrpty:RespondTo> as described in this spec:
>  http://wiki.oasis-open.org/security/ProtocolExtThirdParty
>  Hope this helps,
>  Tom
>  On Thu, Apr 17, 2008 at 8:01 AM,  <valerie.bauche@bull.net> wrote:
>  >
>  > I want to protect an application which is load balanced. So I have
> multiple
>  > instance of the application and then multiple instances of the SAML
> Service
>  > Provider.
>  > From the external, only 1 URL is known and its the load balancer job to
> tell
>  > to which server it will be sent.
>  > If the SP redirect the user to an IDP with an authnrequest, the IDP will
>  > send the response to the SP URL (the same for all SPs), but the load
>  > balancer can decide to send this response to any SP available.
>  > So a SP can receive a response intended for another one....
>  > Does anybody have already think about this kind of problem ?
>  >
>  > Valerie

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]