SP registration APIs

[Peter Schober]

* Peter Schober <peter.schober at univie.ac.at> [2018-08-01 18:02]:
> When metadata is used to convey technical trust (that the endpoints
> and keys are legit and belong to the party you think they do) how are
> you going to boostrap that trust?  Nothing you do (e.g. standing up a
> toy CA where operators can get client certs from that authorize write
> access to that hypothetical registration API) will probably satisfy
> the desires of those "container orchestrators" you mention.

Well, I guess you could run an OAuth 2.0 or OIDC system with
self-registration to protect those API endpoints, but I still don't
see how a freshly generated container would be able to authenticate
itself to all that, either.

Maybe the "container orchestrators" you mention would be able to
inject some secret to make that happen (and not have the secret within
the containers), but that seems like a tall order for your community
having to implement all that only to reigster a "legacy" SAML SP with
your IDP.

OIDC with no trust (only web PKIX) and self-registration is probably
closest to what you have right now?

-peter