Skip to Content.
Sympa Menu

shibboleth-dev - Re: [Shib-Dev] Re: the '_saml_idp' cookie

Subject: Shibboleth Developers

List archive

Re: [Shib-Dev] Re: the '_saml_idp' cookie


Chronological Thread 
  • From: "Cantor, Scott E." <>
  • To: "" <>
  • Subject: Re: [Shib-Dev] Re: the '_saml_idp' cookie
  • Date: Sat, 1 Jan 2011 20:35:59 +0000
  • Accept-language: en-US
>
>My hasty conclusion is that the '_saml_idp' cookie used by both the
>Centralized DS (CDS) and the Embedded DS (EDS) is *not* the common
>domain cookie (CDC), even though the two cookies have the same name
>and value syntax.

All I meant was that it has the same format and meaning.

>I realize the CDS is no longer the primary focus of development, but I
>think it would be useful if the CDS implemented a common domain
>writing service (CDWS) and a common domain reading service (CDRS), not
>as suggested in the spec, but using a simple (passive) HTTP protocol.

In other words, you want to get around the rules for cookie access, but
that's not possible. It is not appropriate to allow for unconstrained
overwriting of the cookie without any way to authenticate or protect that
action, because that leads to phishing. That's why it's meant to be
implemented by having an actual presence in the common domain by the
parties using it (which in turn we all know is a dead end).

>Then the EDS could be configured to query the CDRS (if one existed) to
>obtain hints about the user's preferred IdP(s) in other subdomains. Of
>course the EDS could routinely invoke the CDWS as well, to provide
>hints to other SPs.

But the single federation case isn't common or interesting, so this turns
into the same thing Ping was proposing with probes for a dozen or more
cookies, and brings in the need for IFRAMEs and timeouts, and third party
cookies, etc.

>I'm not entirely clear where discovery is headed (even though I've
>read everything I can get my hands on) but it seems some interaction
>between the EDS and the CDS is desirable. I don't think the latter is
>going away any time soon.

It isn't meant to be used, though, and any place it is used, the wrong
thing is probably happening, probably because the alternative was too much
work or not clearly documented.

We are not trying to provide for cross-SP hints. It's pretty much that
simple, I think. (The exception is for cases where SPs are themselves
related and sharing a DS by choice, but that's never going to be one
federation's DS.)

-- Scott


Archive powered by MHonArc 2.6.16.

Top of Page