Kristof BAJNOK wrote on 2009-01-16:
> is it possible to configure an SP to use Artifact profile by default but
> fall back to POST if the IdP doesn't support artifacts? I thought this is
> what defaultACSIndex is for, but now I'm not sure...
You can't tell what *outbound* bindings an IdP supports, so the question is
unanswerable. Interoperability requires standardizing the bindings that
people have to support ahead of time.
* Kristof BAJNOK <[hidden email]> [2009-01-16 15:59]:
> Probably I'm the only one who prefers Artifact over POST profiles (because
> IdP not supporting it. :S
Saves a single click if enabled, still works if not enabled?
I the past I thought about using artifacts for non-SSL enabled vhosts
since there's no HTTP POST from https to http, which would trigger a
browser warning. But besides of the fact that you can't mandate all
IdPs your SP is dealing with to support artifacts (which relates to
your problem) there's also no good excuse to *not* be running SSL
anywhere (which was the whole point for my thinking here), as Scott
has pointed out repeatedly.
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
On Friday 16 January 2009 Scott Cantor wrote:
> > is it possible to configure an SP to use Artifact profile by default
> > but fall back to POST if the IdP doesn't support artifacts?
> You can't tell what *outbound* bindings an IdP supports, so the question
> is unanswerable.
If an IdP metadata entry doesn't contain an ArtifactResolutionService with
an available outgoing binding, then a SessionInitiator could fail before
redirection occurs. (Just like when there's no appropriate IdP role.)
If that would be the case, it would be possible to chain several
SessionInitiators together with different defaultACSIndex.
> Interoperability requires standardizing the bindings
> that people have to support ahead of time.
Right, although I'd like to be as flexible as technically possible.
Could you please let me know if you think it's feasible to implement such a
Systems Engineer / Middleware
NIIF / Hungarnet