Skip to Content.
Sympa Menu

shibboleth-dev - RE: SAML Artifact attribute

Subject: Shibboleth Developers

List archive

RE: SAML Artifact attribute


Chronological Thread 
  • From: "Scott Cantor" <>
  • To: <>
  • Subject: RE: SAML Artifact attribute
  • Date: Mon, 1 May 2006 12:53:35 -0400
  • Organization: The Ohio State University

> Have you done experiments that suggest this is the case?

Yes, but we're talking fast vs. faster at this point, so it's hardly the
main issue.

> It would
> seem that moving data via the front channel (two hops, with a browser
> in the middle) would be more costly in general.

How is that avoided in artifact? The amount of data here is not the issue,
unless you're using a dial-up line or a hundred attributes.

> Indeed, from the time
> the "we're redirecting you" message is displayed in the browser, there
> is a one or two second delay before the final redirect.

Yeah...that's the callback. SSL and all that. Try it a second time, it will
be much quicker because the connection is kept. The problem is that POST
plus callback is the worst case...all the drawbacks, none of the advantages.

> In any event, I
> don't see how POST can be any better than Artifact even under the best
> of circumstances.

I think it's obvious. Add in the fact that nobody out there knows how to
handle keys, and it's a no brainer to me. I'm happy to let people out there
keep using callbacks, just don't make me support them.

The real issue with artifact is that it's so hard to deploy. People can't
handle one SOAP endpoint, and now you're talking about multiple endpoints
with different names so that you don't need shared state...it's a support
disaster waiting to happen.

-- Scott




Archive powered by MHonArc 2.6.16.

Top of Page