shibboleth-dev - [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Shibboleth Developers <>
- Subject: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie
- Date: Fri, 31 Dec 2010 13:46:48 -0600
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=H6kSgcR3QtJDX4OZSJYAd3NCSBHXT0uXBaxlHUjKTcvKlwQPgx4riN/ypTlZB8nE+C VCY1bZVcoZ6PvD233cSvqb6VDR3ANetlDjG5YqN3SB0FZ1/XqCdZw0tFpe/Rtl4JefK2 UBxUXsIaaXAWfPBiNI81GamjlW8u0bIKWkvBM=
[thread from shib-users continued at shib-dev]
On Wed, Dec 29, 2010 at 9:59 PM, Cantor, Scott E.
<>
wrote:
>> Does the Shib DS utilize a cookie named '_saml_idp'?
>
> The answer, BTW, is yes, that's the cookie it uses. Same for the embedded
> version.
I spent the morning looking over the WAYF and DS code (which means I'm
barely knowledgeable about the two webapps, so please cut me some
slack :)
My hasty conclusion is that the '_saml_idp' cookie used by both the
Centralized DS (CDS) and the Embedded DS (EDS) is *not* the common
domain cookie (CDC), even though the two cookies have the same name
and value syntax. For the EDS, this is mainly a documentation issue,
so no big deal. For the CDS, there may be more significant issues (see
below).
The '_saml_idp' cookie used by the EDS is not the CDC because:
- it does not specify a common domain
- it is not URL-encoded (bug?)
- it is not marked as 'secure' (bug?)
The first point is most important. The cookie used by the EDS MUST NOT
explicitly set the 'domain' property (since an explicit domain must
start with a dot) and so the CDC is not usable on the EDS.
Out of the box, the '_saml_idp' cookie used by the CDS is not the CDC
because it, too, does not specify a common domain. However, it can be
configured with a common domain AFAICT, although I'm not finding
anything in the documentation about this. Is there some reason why
this isn't documented?
I realize the CDS is no longer the primary focus of development, but I
think it would be useful if the CDS implemented a common domain
writing service (CDWS) and a common domain reading service (CDRS), not
as suggested in the spec, but using a simple (passive) HTTP protocol.
Then the EDS could be configured to query the CDRS (if one existed) to
obtain hints about the user's preferred IdP(s) in other subdomains. Of
course the EDS could routinely invoke the CDWS as well, to provide
hints to other SPs.
I'm not entirely clear where discovery is headed (even though I've
read everything I can get my hands on) but it seems some interaction
between the EDS and the CDS is desirable. I don't think the latter is
going away any time soon.
Tom
- [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Tom Scavo, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Tom Scavo, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Chad La Joie, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Chad La Joie, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Chad La Joie, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Tom Scavo, 12/31/2010
- Re: [Shib-Dev] Re: [Shib-Users] the '_saml_idp' cookie, Peter Schober, 12/31/2010
Archive powered by MHonArc 2.6.16.