Metadata support for Discovery profile

[Paul Madsen <p.madsen@entrust.com>]

My Entrust colleague Thomas Wisniewski had suggested (http://www.oasis-open.org/archives/security-services/200410/msg00015.html) the possibility of implementing support for the Discovery Profile in Metadata descriptors; the most likely scenario being to allow IDPs to advertise the relevant Common Domain URL at which SPs could discover them.

 

This issue came up on yesterdays SSTC call, On the call we came to the tentative conclusion that this seemed to be a Catch-22 situation, specifically how would the SP know which IDP descriptor to load in order to determine to which common domain a particular principal should be sent for IDP discovery without already knowing the IDP. I took an action to clarify Tom's intent and priority for this request.

 

Tom wrote 'This item was not that critical and should not hold back Saml 2.0 in any way' so we can close the issue.

 

For future consideration, despite the apparent Catch-22 situation, it does appear that such a mechanism could be useful. While it is true that an SP would be unable to immediately load a particular IDP metadata descriptor before actually discovering the IDP, formalizing how the IDP advertises the common domains in which it participates could enable the SP building a list of potential common domains automatically (by collecting common domain URLs from all IDPs for which it had metadata descriptors). This compared to building such a list in a piecemeal fashion from out-of-band communications.

 

Paul

 

 

-----------------------------------------------------------------

Paul Madsen

e:  p.madsen@entrust.com

p:  613-270-2632

c:  613-799-2632

Entrust