OpenSAML user discussion

["Scott Cantor" <>]

> Maybe I'm not seeing the wood for the trees but I'd say metadata is more
> useful if you forecast many different use cases and you get something
> in the assertions that you can match to the metadata.

Yes, that's probably a fair statement, but if you don't, it's pretty
blatantly not even a SAML 2.0 use case, so yeah, all bets are off.
 
> I don't even
> get entityIDs in the assertions, just some attributes I can use to
> find out the entity (institution) who has authenticated the user
> that is trying to access my services.

Ok, then I'll shut up, as it's non-compliant.

> No, I don't think we need revocation (well, at least we don't do it now).

You might consider relaxing a lot of your requirements in the face of that.
;-)

> In the Issuer I get the name of a centre, and I decide trust based
> on the institution the centre belongs to. The information on what
> centre belongs to what institution is in the DB (is small enough
> to have a cache in memory, but the DB is the source). I'm not claiming
> that's proper SAML, it's just what I get.

Understood.

> It may not be proper
> SAML because the issuer should be the institution, at least the
> signing certificate belongs to the institution.

It's irrelevant who it is, but it MUST be an entityID, period, at least for
web SSO. Else it's non-compliant and you're in a world of pain because it's
extremely difficult to backwards from a certificate to something else. As
you clearly know.

-- Scott