OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [security-services] Web SSO <AuthnRequest> conformance



On Oct 26, 2004, at 6:31 PM, Thomas Wisniewski wrote:

> That was it exactly. Perhaps the size limits are fairly large  
> (typically
> closer to 2k at least), and for conformance (and interop), only "small"
> <AuthnRequest>s are handled.
>
> Here's a very trivial request (ids are very short) that is around 800  
> chars
> (base 64 encoding and url encoding will add 33%, and make this around  
> 1150
> chars). I guess dig sig is not really required (that would increase  
> size
> drastically).

You're forgetting the deflate encoding step. The actual numbers for  
your example are:

<samlp:AuthnRequest  
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"  
ID="_9494578B5BDA829CF967D5AAA5DFA158C2A85EEF"  
IssueInstant="2004-10-26T17:56:02Z" Version="2.0"  
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"  
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";  
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"  
NameQualifier="" SPNameQualifier=""  
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   idp
</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<samlp:NameIDPolicy AllowCreate="true"  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"  
SPNameQualifier="sp.company.com"/>
</samlp:AuthnRequest>
xml length=776

deflated length=366

base64=eJydkl9LwzAUxd/9FCE+r+nquq1hE7LVwcCJOhHxRWIat0ibxNyUbt/etCoK/ 
kOfAjeHe875cSfA
q9JSVvutvpRPtQSP5kaD1H6Ka6ep4aCAal5JoF7QNVud0iSKqXgR0VqDlUI9KFlgtMyn+C4b 
ZIN0
NJ6ls5yNk2y+yIajPGWMpfmC9dPxPGHj9ORkEeQAtVxq8Lx1S+J40OvHvWR41R/ 
RdEjj5Baja+lA
GR2+oxijXVVq+DmYdcYbYcpXMS2Cfuu9pYQ0TRM1R5FxGxLMYhJnJGgKUJvDN3WH428GO1Df 
OPTJ
zep0Lbay4j3V1RQSHx9MWhPalXdoYVzFf2HdTlTRe+ikNFBXfo/RWZhe1Lxs2bspxmh9/ 
mn0Xupn
Bw4gnQ+cQzyEVGEPJuRDyrfM6/r+UQr/ 
j7XkdYWlbcZlfm5KJfaIlaVp5k5yL6fYu1rifwCx7YmA
D1y+YAA2EqayXO/bt8tBPt/88TOfzQYS

base64 length=494


Of course, there are number of unnecessary attributes/elements in your  
example. Pruning those, I get:

<samlp:AuthnRequest  
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"  
ID="_9494578B5BDA829CF967D5AAA5DFA158C2A85EEF"  
IssueInstant="2004-10-26T17:56:02Z" Version="2.0"  
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"  
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp</saml: 
Issuer><samlp:NameIDPolicy AllowCreate="true"  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"  
SPNameQualifier="sp.company.com"/></samlp:AuthnRequest>
xml length=521

deflated length=291

base64=eJydkU1rwzAMhv+K8b1tGuo2EU3ATRoobKP7YIddhkldZnBsz7LZ+u8Xt5fu0sFOA 
umV3kfSGsWg
HfAYPsyT/IwSA2msQWlCRaM3YAUqBCMGiRB6eOb3d5BPM+gvIogGnezVUckDJbu2ou/ 
lolywVbFh
m5YXedl05XLVMs45azs+Z0WT84Jtt90oR4xyZzCI5JZn2WIyzyb58mW+AraELH+j5FV6VNaM 
5WlG
yfegDcKZ+Tae8zbY3mpar5MazlaedNYP4o/NUkYdJsezFMYdVThdO9/ 
uFojSh5GY1urg1rMr9wuK
g4exadfurVb9iXCt7VfjpQiyosFHSf8B6dKRMIyslDzv0/ 
zHKHR6iq8oumlvByfMKUU6qy9Qv59e
/wCgK7Ei

base64 length=393

Not to say that POST shouldn't be MTI, but I don't think the URL  
encoding is really as bad as you think it is.

-Greg



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]