Extensibility of SAML 2 metadata
Cantor, Scott
cantor.2 at osu.edu
Wed Jun 20 14:59:33 BST 2012
On 6/20/12 9:04 AM, "Tom Scavo" <trscavo at gmail.com> wrote:
>
>> I will note that this scenario is not SAML related, so maybe the answer
>>is it doesn't belong in SAML metadata, extensions or not.
>
>It *is* SAML-related. Back-channel exchanges (artifact resolution and
>attribute query, e.g.) are examples.
Well, it may be similar, but that doesn't mean SAML. On the other hand,
when you're doing security between servers with PKI, you have a handful of
realistic choices:
- manual (assuming you can control what keys are accepted at the two ends)
- full on PKIX, including revocation or OCSP
- half-ass it
- metadata-like mechanisms for key management, involving custom code
You can take a wild guess as to how most do it.
-- Scott
More information about the users
mailing list