RE: [security-services] Web SSO <AuthnRequest> conformance

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Greg, others, thanks. You are probably correct and it is not as bad. I had
also included RelayState and implementation specific data in the redirection
URLs I was attempting -- which added to the size of the request. Whether
it's MTI is up to the group.


Greg, Scott, just curious, you guys suggested the xml is not optimized, with
the exception of the saml ns in 2 locations, and the Format of the issuer
which is optional, everything else is as expected under normal conditions
(i.e., consent is req'd and ID Federation is possible).

Thanks, Tom.

-----Original Message-----
From: Greg Whitehead [mailto:grw@trustgenix.com]
Sent: Tuesday, October 26, 2004 9:00 PM
To: Thomas Wisniewski
Cc: Mishra, Prateek; Scott Cantor;
security-services@lists.oasis-open.org
Subject: Re: [security-services] Web SSO <AuthnRequest> conformance



On Oct 26, 2004, at 6:31 PM, Thomas Wisniewski wrote:

> That was it exactly. Perhaps the size limits are fairly large  
> (typically
> closer to 2k at least), and for conformance (and interop), only "small"
> <AuthnRequest>s are handled.
>
> Here's a very trivial request (ids are very short) that is around 800  
> chars
> (base 64 encoding and url encoding will add 33%, and make this around  
> 1150
> chars). I guess dig sig is not really required (that would increase  
> size
> drastically).

You're forgetting the deflate encoding step. The actual numbers for  
your example are:

<samlp:AuthnRequest  
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"  
ID="_9494578B5BDA829CF967D5AAA5DFA158C2A85EEF"  
IssueInstant="2004-10-26T17:56:02Z" Version="2.0"  
xmlns="urn:oasis:names:tc:SAML:2.0:protocol"  
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";  
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"  
NameQualifier="" SPNameQualifier=""  
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   idp
</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"/>
<samlp:NameIDPolicy AllowCreate="true"  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"  
SPNameQualifier="sp.company.com"/>
</samlp:AuthnRequest>
xml length=776

deflated length=366

base64=eJydkl9LwzAUxd/9FCE+r+nquq1hE7LVwcCJOhHxRWIat0ibxNyUbt/etCoK/ 
kOfAjeHe875cSfA
q9JSVvutvpRPtQSP5kaD1H6Ka6ep4aCAal5JoF7QNVud0iSKqXgR0VqDlUI9KFlgtMyn+C4b 
ZIN0
NJ6ls5yNk2y+yIajPGWMpfmC9dPxPGHj9ORkEeQAtVxq8Lx1S+J40OvHvWR41R/ 
RdEjj5Baja+lA
GR2+oxijXVVq+DmYdcYbYcpXMS2Cfuu9pYQ0TRM1R5FxGxLMYhJnJGgKUJvDN3WH428GO1Df 
OPTJ
zep0Lbay4j3V1RQSHx9MWhPalXdoYVzFf2HdTlTRe+ikNFBXfo/RWZhe1Lxs2bspxmh9/ 
mn0Xupn
Bw4gnQ+cQzyEVGEPJuRDyrfM6/r+UQr/ 
j7XkdYWlbcZlfm5KJfaIlaVp5k5yL6fYu1rifwCx7YmA
D1y+YAA2EqayXO/bt8tBPt/88TOfzQYS

base64 length=494


Of course, there are number of unnecessary attributes/elements in your  
example. Pruning those, I get:

<samlp:AuthnRequest  
Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"  
ID="_9494578B5BDA829CF967D5AAA5DFA158C2A85EEF"  
IssueInstant="2004-10-26T17:56:02Z" Version="2.0"  
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"  
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">idp</saml: 
Issuer><samlp:NameIDPolicy AllowCreate="true"  
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"  
SPNameQualifier="sp.company.com"/></samlp:AuthnRequest>
xml length=521

deflated length=291

base64=eJydkU1rwzAMhv+K8b1tGuo2EU3ATRoobKP7YIddhkldZnBsz7LZ+u8Xt5fu0sFOA 
umV3kfSGsWg
HfAYPsyT/IwSA2msQWlCRaM3YAUqBCMGiRB6eOb3d5BPM+gvIogGnezVUckDJbu2ou/ 
lolywVbFh
m5YXedl05XLVMs45azs+Z0WT84Jtt90oR4xyZzCI5JZn2WIyzyb58mW+AraELH+j5FV6VNaM 
5WlG
yfegDcKZ+Tae8zbY3mpar5MazlaedNYP4o/NUkYdJsezFMYdVThdO9/ 
uFojSh5GY1urg1rMr9wuK
g4exadfurVb9iXCt7VfjpQiyosFHSf8B6dKRMIyslDzv0/ 
zHKHR6iq8oumlvByfMKUU6qy9Qv59e
/wCgK7Ei

base64 length=393

Not to say that POST shouldn't be MTI, but I don't think the URL  
encoding is really as bad as you think it is.

-Greg