[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Multiple artifact endpoints
Per the discussion on the call, the basic point here is that the artifact binding introduces a lot of short-lived state into the IdP implementation, and this is a complication if you have a lot of dispersed instances of your IdP implementation around. For example, there are two machines making network connections to your IdP, the browser client and the SP. They can independently end up calling into different back-end instances if you're load balancing, and no solution for stickiness works, since it's not the same client. The other point is exactly what Greg said. The SAML 1.1 model was of binding identifiers like the SourceID to physical locations. The SAML 2.0 model is more abstracted and introduces a layer of indirection in which protocols refer to system entities by providerId and metadata is used to map that to physical endpoints. If there weren't a simple solution to improve this, perhaps neither argument would be persuasive and we'd just continue to force implementers to solve the state problem with a database or a lot of back-end work. But there is a simple solution, and we already use it in the spec for the Assertion Consumer Service endpoint at the SP. The AuthnRequest permits the SP to tell the IdP to use a particular AssertionConsumerService by passing an index to it and putting the same index into metadata. There's also a default flag in metadata so that the common case is handled. In the metadata schema, it's done by just extending the md:EndpointType with a couple of attributes, id and isDefault. The AssertionConsumerServiceType is defined that way. I'm proposing the artifact resolution endpoint be done the same way (currently nothing related to artifact resolution is in metadata, but that has to be added either way). The new SAML -04- artifact definition would have maybe a couple of bytes added after the 20 byte SourceID that would be matched against the endpoints' id attributes in the metadata. 0x00 would be used to just signal nothing, meaning use the isDefault="true" endpoint. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]