Shibboleth Developers

[Walter Hoehn <>]

On Jun 28, 2006, at 9:38 AM, Ian Young wrote:

> Scott Cantor wrote:
>
> > > so how does the location being queried for metadata know which  
> > > signed metadata to return?  Query parameters?  Client TLS  
> > > authentication?
> > Authentication, however done, yes. That's how it probably has to  
> > work.
>
> I think you've mentioned that before as one of the reasons URL- 
> style entity IDs should use the https scheme, not http.  So, that  
> makes sense.
>
> As an alternative to proper authentication, though, it would be  
> possible to just pass an additional header, or a query parameter.   
> The only downside I can think of is that random people could ask  
> for your metadata, but I don't think I worry about that.  After  
> all, the current model is to stick a file up on a web site, which  
> is not exactly private.

To my mind, this becomes much more of an issue than it is now if  
folks begin to encode IdP-specific attribute requirements into the  
metadata.

-Walter