Fallback to POST?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Fallback to POST?

Kristof BAJNOK
Hi,

is it possible to configure an SP to use Artifact profile by default but
fall back to POST if the IdP doesn't support artifacts? I thought this is
what defaultACSIndex is for, but now I'm not sure...

Probably I'm the only one who prefers Artifact over POST profiles (because
of its speed and lack of using JavaScript), though now I'm stuck with an
IdP not supporting it. :S

Thanks,
Kristof
--
Kristof BAJNOK
Systems Engineer / Middleware
NIIF / Hungarnet
Hungary
Reply | Threaded
Open this post in threaded view
|

RE: Fallback to POST?

Cantor, Scott E.
Kristof BAJNOK wrote on 2009-01-16:
> is it possible to configure an SP to use Artifact profile by default but
> fall back to POST if the IdP doesn't support artifacts? I thought this is
> what defaultACSIndex is for, but now I'm not sure...

You can't tell what *outbound* bindings an IdP supports, so the question is
unanswerable. Interoperability requires standardizing the bindings that
people have to support ahead of time.

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: Fallback to POST?

Peter Schober
In reply to this post by Kristof BAJNOK
Hey Kristof,

* Kristof BAJNOK <[hidden email]> [2009-01-16 15:59]:
> Probably I'm the only one who prefers Artifact over POST profiles (because
> of its speed and lack of using JavaScript), though now I'm stuck with an
> IdP not supporting it. :S

I really can't see where JavaScript is the big issue here?
Saves a single click if enabled, still works if not enabled?

I the past I thought about using artifacts for non-SSL enabled vhosts
since there's no HTTP POST from https to http, which would trigger a
browser warning. But besides of the fact that you can't mandate all
IdPs your SP is dealing with to support artifacts (which relates to
your problem) there's also no good excuse to *not* be running SSL
anywhere (which was the whole point for my thinking here), as Scott
has pointed out repeatedly.

cheers,
-peter

--
[hidden email] - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140
Reply | Threaded
Open this post in threaded view
|

Re: Fallback to POST?

Kristof BAJNOK
In reply to this post by Cantor, Scott E.
[Sorry for replying to an old thread]

On Friday 16 January 2009 Scott Cantor wrote:
> > is it possible to configure an SP to use Artifact profile by default
> > but fall back to POST if the IdP doesn't support artifacts?
>
> You can't tell what *outbound* bindings an IdP supports, so the question
> is unanswerable.

If an IdP metadata entry doesn't contain an ArtifactResolutionService with
an available outgoing binding, then a SessionInitiator could fail before
redirection occurs. (Just like when there's no appropriate IdP role.)

If that would be the case, it would be possible to chain several
SessionInitiators together with different defaultACSIndex.

> Interoperability requires standardizing the bindings
> that people have to support ahead of time.

Right, although I'd like to be as flexible as technically possible.

Could you please let me know if you think it's feasible to implement such a
pre-check?

Thanks,
Kristof
--
Kristof BAJNOK
Systems Engineer / Middleware
NIIF / Hungarnet
Hungary
Reply | Threaded
Open this post in threaded view
|

RE: Fallback to POST?

Cantor, Scott E.
Kristof BAJNOK wrote on 2009-01-22:
> Could you please let me know if you think it's feasible to implement
> such a pre-check?

I don't know offhand, but if it's not in jira, I won't even get around to
thinking about it.

-- Scott