OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] DDDS RFCs,Liberty and SAML Metadata exchange protocol

> I'd suggest allowing support for the well-known location 
> mechanism as well as the DNS-based approach for metadata 
> acquisition, in case there are deployment environments where 
> the DNS is under separate administration, outside the 
> convenient control of those responsible for SAML deployment. 

I assumed Jahan meant exactly that, since Peter's document specs out both.
Well-known is obviously pretty trivial to spec.

I think the deeper issue for SSTC understand is that the reason these
lookups work in Liberty is that the entities in the system are all assigned
a URI-based identifier as their ProviderID for protocol purposes, and that
ID appears in all the messages.

I consider it akin to what SAML's Issuer could be, if Issuer is added to
Request and Response.

The idea is that ProviderID or Issuer or whatever is the way you tie the
SAML message to the underlying credential presented at the transport layer,
or used to sign the message or whatever. Metadata (more specifically trust
metadata) is the glue.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]