[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Discovery hint
As mentioned on Tuesday's call, I am intending to profile a means of IdP discovery using the Kerberos realm associated with a ticket that MAY be presented to a service provider by a user agent in the Kerberos Web SSO Profile. My initial strategy was to simply specify a new element that was a child of <IDPSSODescriptor> that indicated the Kerberos realm(s) that the IdP was able to authenticate principals for. However, it subsequently occurred to me that there might be some value in making this element more general purpose, to support other types of discovery 'hints' other than Kerberos; for example, IP address. A metadata consumer (e.g., a service provider or discovery service) could use this information to identify a candidate IdP(s) that the user agent should be redirected to. In terms of realising this, I was thinking that the sstc-saml-idp-discovery could be extended to specify a base 'list of hints' element, and then its child technology-specific hints could be specified in other profiles (e.g., the Kerberos hint in the Kerberos Web SSO profile). Does anyone have any views on whether this would be a good thing to do, or not? josh.