[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Groups - sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded
Sorry to be late to the party......(I am in the west coast). I think the last response from Scott (below) captures the essence. Allow me to articulate the steps: 1. One SAML entity obtains the Metadata URL of the second SAML entity. This is via an out of band method. 2. The first entity uses the URL to get an XML document. The XML document will be conformant with the metadata schema (see sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00 for the current draft) 3. The first entity uses the metadata to determine information about the second entity such as supported profiles, end points, etc. I have personally used this method during an interoperability effort back in April and it worked just fine. Thanks, Jahan --------- Jahan Moreh Chief Security Architect 310.286.3070 -----Original Message----- From: Scott Cantor [mailto:firstname.lastname@example.org] Sent: Wednesday, October 15, 2003 7:44 AM To: 'Anthony Nadalin'; email@example.com Subject: RE: [security-services] Groups - sstc-saml-MetadataDiscoveryProtocols-2.0-draft-00.pdf uploaded > So how does one parse this, how do I know the schema for the > metadata returned ? How do I get the schemas for the data returned ? The specification has the schema in it. This isn't arbitrary data (modulo extensions). > Yes, caught the fever and took an aspirin and its now gone. > You seem to be missing the point, you seem to have to talk to > the end point service to get the metadata but you may not be > able to, so there is a boot strap issue. You've lost me, I'm afraid. There's nothing "magic" here, you issue an HTTP GET for an XML document containing the metadata. You get back text/xml containing the signed XML instance. Unless the URL is not an HTTP URL, in which case it's scheme-specific. The spec I believe mandates support on the relying party end for HTTP/S, but obviously many others are possible (ftp, gopher, beep, yadda yadda). I see no "end point service" or any bootstrap considerations. The metadata bootstraps the other profiles (i.e. For a given provider, where do I send SSO requests?). -- Scott To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave _workgroup.php.