OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Groups - sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded

Sorry to be late to the party......(I am in the west coast).

I think the last response from Scott (below) captures the essence. Allow me
to articulate the steps:
1. One SAML entity obtains the Metadata URL of the second SAML entity. This
is via an out of band method.
2. The first entity uses the URL to get an XML document. The XML document
will be conformant with the metadata schema (see
sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00 for the current draft)
3. The first entity uses the metadata to determine information about the
second entity such as supported profiles, end points, etc.

I have personally used this method during an interoperability effort back in
April and it worked just fine.


Jahan Moreh
Chief Security Architect

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu]
Sent: Wednesday, October 15, 2003 7:44 AM
To: 'Anthony Nadalin'; security-services@lists.oasis-open.org
Subject: RE: [security-services] Groups -
sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded

> So how does one parse this, how do I know the schema for the
> metadata returned ? How do I get the schemas for the data returned ?

The specification has the schema in it. This isn't arbitrary data (modulo

> Yes, caught the fever and took an aspirin and its now gone.
> You seem to be missing the point, you seem to have to talk to
> the end point service to get the metadata but you may not be
> able to, so there is a boot strap issue.

You've lost me, I'm afraid. There's nothing "magic" here, you issue an HTTP
GET for an XML document containing the metadata. You get back text/xml
containing the signed XML instance. Unless the URL is not an HTTP URL, in
which case it's scheme-specific. The spec I believe mandates support on the
relying party end for HTTP/S, but obviously many others are possible (ftp,
gopher, beep, yadda yadda).

I see no "end point service" or any bootstrap considerations. The metadata
bootstraps the other profiles (i.e. For a given provider, where do I send
SSO requests?).

-- Scott

To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]