Extensibility of SAML 2 metadata

Cantor, Scott cantor.2 at osu.edu
Wed Jun 20 14:59:33 BST 2012


On 6/20/12 9:04 AM, "Tom Scavo" <trscavo at gmail.com> wrote:
>
>> I will note that this scenario is not SAML related, so maybe the answer
>>is it doesn't belong in SAML metadata, extensions or not.
>
>It *is* SAML-related. Back-channel exchanges (artifact resolution and
>attribute query, e.g.) are examples.

Well, it may be similar, but that doesn't mean SAML. On the other hand,
when you're doing security between servers with PKI, you have a handful of
realistic choices:

- manual (assuming you can control what keys are accepted at the two ends)
- full on PKIX, including revocation or OCSP
- half-ass it
- metadata-like mechanisms for key management, involving custom code

You can take a wild guess as to how most do it.

-- Scott



More information about the users mailing list