OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Multiple artifact endpoints

Per the discussion on the call, the basic point here is that the artifact
binding introduces a lot of short-lived state into the IdP implementation,
and this is a complication if you have a lot of dispersed instances of your
IdP implementation around.

For example, there are two machines making network connections to your IdP,
the browser client and the SP. They can independently end up calling into
different back-end instances if you're load balancing, and no solution for
stickiness works, since it's not the same client.

The other point is exactly what Greg said. The SAML 1.1 model was of binding
identifiers like the SourceID to physical locations. The SAML 2.0 model is
more abstracted and introduces a layer of indirection in which protocols
refer to system entities by providerId and metadata is used to map that to
physical endpoints.

If there weren't a simple solution to improve this, perhaps neither argument
would be persuasive and we'd just continue to force implementers to solve
the state problem with a database or a lot of back-end work. But there is a
simple solution, and we already use it in the spec for the Assertion
Consumer Service endpoint at the SP. The AuthnRequest permits the SP to tell
the IdP to use a particular AssertionConsumerService by passing an index to
it and putting the same index into metadata. There's also a default flag in
metadata so that the common case is handled.

In the metadata schema, it's done by just extending the md:EndpointType with
a couple of attributes, id and isDefault. The AssertionConsumerServiceType
is defined that way. I'm proposing the artifact resolution endpoint be done
the same way (currently nothing related to artifact resolution is in
metadata, but that has to be added either way).

The new SAML -04- artifact definition would have maybe a couple of bytes
added after the 20 byte SourceID that would be matched against the
endpoints' id attributes in the metadata. 0x00 would be used to just signal
nothing, meaning use the isDefault="true" endpoint.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]