On 6/21/11 8:04 PM, "Sam Hartman" <[log in to unmask]> wrote:
>
>Well this depends on whether we're trying to work with existing metadata
>or synthasize new metadata.
Right...I'd start with the model you want and then worry about how to
express it.
> Josh> The best option that I can think of is to include the claimed
> Josh> EntityID in the AAA request - probably as a component within
> Josh> the GSS acceptor name, or alternatively as a separate AAA
> Josh> attribute. The AAA fabric would be required to validate this
> Josh> value (in addition to the claimed GSS acceptor name).
>
>Why not include the acceptor name in the metadata as saml-EC does?
Specifically (for Roland and others that might be SAML familiar but
haven't read the draft), I proposed constructing a URI out of the acceptor
name and expressing that in the place of an assertion consumer service URL
in the HTTP scenario.
With HTTP use cases, you can't assume that an ACS is limited to one
entity, but with this kind of convention, there's no reason to be sharing
them since they're really just alternative names.
Of course, you *can* just use a URI formulated from the acceptor name as
the entityID too. It's just a bit more flexible if it's indirect.
-- Scott
|