OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Discovery hint

As mentioned on Tuesday's call, I am intending to profile a means of  
IdP discovery using the Kerberos realm associated with a ticket that  
MAY be presented to a service provider by a user agent in the Kerberos  
Web SSO Profile.

My initial strategy was to simply specify a new element that was a  
child of <IDPSSODescriptor> that indicated the Kerberos realm(s) that  
the IdP was able to authenticate principals for.

However, it subsequently occurred to me that there might be some value  
in making this element more general purpose, to support other types of  
discovery 'hints' other than Kerberos; for example, IP address.

A metadata consumer (e.g., a service provider or discovery service)  
could use this information to identify a candidate IdP(s) that the  
user agent should be redirected to. In terms of realising this, I was  
thinking that the sstc-saml-idp-discovery could be extended to specify  
a base 'list of hints' element, and then its child technology-specific  
hints could be specified in other profiles (e.g., the Kerberos hint in  
the Kerberos Web SSO profile).

Does anyone have any views on whether this would be a good thing to  
do, or not?


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]