shibboleth-dev - Re: Dynamic metadata, API thoughts
Subject: Shibboleth Developers
List archive
- From: Ian Young <>
- To:
- Subject: Re: Dynamic metadata, API thoughts
- Date: Wed, 28 Jun 2006 15:38:54 +0100
Scott Cantor wrote:
so how does the location being queried for metadata know which signed metadata to return? Query parameters? Client TLS authentication?
Authentication, however done, yes. That's how it probably has to work.
I think you've mentioned that before as one of the reasons URL-style entity IDs should use the https scheme, not http. So, that makes sense.
As an alternative to proper authentication, though, it would be possible to just pass an additional header, or a query parameter. The only downside I can think of is that random people could ask for your metadata, but I don't think I worry about that. After all, the current model is to stick a file up on a web site, which is not exactly private.
Now
just imagine the set up for that at each provider. Scalability's great until
it becomes so complex you can't deploy it.
Right, this definitely makes sense only if we can make it deployable. I can certainly see it being pretty hard to set up a TLS authentication system that works when the two entities have no prior knowledge of each other, as you might need the metadata to know what certificate to present to get the metadata...
Something short of real authentication (special header or query parameter containing a "federation name URI") would be simpler to set up.
Note that with the new code, it's very simple to prune out just the entities
you need from a large file. Start up cost might be high, but runtime memory
usage could be very low.
Pruning allows you to throw away entities you know you'll never need. It doesn't help you with the case where you *might* talk to a whole lot of entities, but not many in any given period.
Or you could just load it all into a local database
cache, etc. Lots of ways to tackle scalability without a fully distributed
model.
That's true, and I'm certainly not trying to rule out any solutions like that (although again that might be a tad complicated to set up at each provider unless you start bundling a database with Shibb). I imagine we'll end up hashing through a number of partial solutions before we settle on a final one, if we ever do.
because metadata usage
should be simple and transparent.
Can't argue with that ;-)
-- Ian
- Dynamic metadata, API thoughts, Scott Cantor, 06/21/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Chad La Joie, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- RE: Dynamic metadata, API thoughts, Scott Cantor, 06/29/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Thomas Lenggenhager, 06/28/2006
- RE: Dynamic metadata, API thoughts, Scott Cantor, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Walter Hoehn, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Walter Hoehn, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
- Re: Dynamic metadata, API thoughts, Chad La Joie, 06/28/2006
- Re: Dynamic metadata, API thoughts, Ian Young, 06/28/2006
Archive powered by MHonArc 2.6.16.