SP registration APIs
cantor.2 at osu.edu
Wed Aug 1 12:08:21 EDT 2018
> No idea whether it would be possible to wire stuff in a way so that you'd
> accept signed authn requests from unknown SPs (i.e., ones you have no
> metadata for) over the HTTP POST binding (so that you have the signing cert
> available verbatim) and validate the signing cert's PKIX trust path, and if that's
> all fine, send the reponse to the requested location.
> That should give you something pretty close to what Cosign did, no?
I thought about that but since you mentioned it...I don't think that strictly speaking the code that does the metadata lookups provides easy access to the SAML request to be able to essentially mock the metadata in that exact fashion. I think it could be changed to do that, but more immediately, I think various tricks like thread-local variables and the like could probably make it work.
Something in that direction is probably doable, but it's not trivial Java work obviously and it may not plug in to the code now without small changes.
More information about the users