Embedded Discovery Service With Custom Service Provider.

Cantor, Scott cantor.2 at osu.edu
Thu May 7 11:40:07 EDT 2015

On 5/7/15, 10:49 AM, "Surinaidu Majji" <pioneer.suri at gmail.com> wrote:
>1) In order to make a request from the Non-Shibboleth SP to the Embedded Discovery service(EDS), currently we are making a HTTP GET request with 'entityId' and 'return' parameters from the Non-Shibboleth SP to the EDS. Now ,How can the request be made securely? and In which format does the request has to made?

It isn't secure, it's just a GET. You're stating outright the format and then asking for the format. I don't really know what you want here.

If you haven't read the specification, it's here [1]. That is the answer to any questions you have in general about the protocol, which is nothing, it's a redirect flow. It's dead simple. This is all overkill for everything you're doing. Just use a page with links on it.

>2) According to our understanding, initially SP is making a request to the EDS, then EDS is making a XmlHttpRequest back to the SP's discovery feed in order to pull in the data it needs
> to render the UI.

I'm not sure if it's done exactly that way or not, but it's an implementation detail.

> So what is the main purpose of "SP requesting EDS to get the list of idp's"? and Why can't the EDS store the same json feed information(list of idp's) for display when SP is requested?

The EDS is in Javascript, there's nowhere to "store" the information.

-- Scott

[1] https://wiki.oasis-open.org/security/IdpDiscoSvcProtonProfile

More information about the users mailing list