SP registration APIs

Peter Schober peter.schober at univie.ac.at
Wed Aug 1 22:13:58 EDT 2018

* Liam Hoekenga <liamr at umich.edu> [2018-08-01 21:57]:
> Running an open SAML IDP or enabling OIDC dynamic registration
> creates a similar problem that we're having with Cosign - we don't
> have a good idea of who's using our service or how to get in touch
> with them.

OK, so you're not actually interested in re-creating the status quo
with SAML (or OIDC).

Also it seems to me the desires of your potential "customers" (fully
automated self-registration, AFAIU) don't align well with the desires
of the operator of such an infrastructure (e.g. your questions above
for a start).

Not sure there's room for a middle ground here: E.g. while you could
have the operators of to-be-connected services sign up manually via
some web form to request "API keys" -- which would give you a point of
contact (and documentation of purpose, etc.) and would give them
access to a hypothetical POST-your-metadata-here API endpoint (they
could inject the token into their orchestration thingies) -- it sounds
much easier to me to just upload the metadata itself right then and
there and be done?
Unless you really really need something that allows them to fire up a
fresh docker container and have it work with your SSO system, but in a
trustworthy way.  Then such tokens might still serve a purpose.
(You'll just have to deal with the issue of token re-use across
distinct projects and servers, because laziness. Oh, and implement all
the hypothetical services I mentioned so far.)


More information about the users mailing list