[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: OIDC Issuer value
From: Nate Klingenstein <ndk () sudonym ! me>
Date: 2024-04-26 16:09:52
Message-ID: B6510987-907C-4427-8EF8-363E90BF252A () sudonym ! me
[Download RAW message or body]
Joanne,
It just means that the URI selected for your SAML entityID is supposed to be detached \
from your deployment. This means it can be any URI anywhere, as long as it's one you \
control. There is some common practice now for those URI's to resolve to SAML \
metadata, but I'd call it far from comprehensive.
Conversely, OIDC expects to find a specific file at a specific location on the \
recipient server (•/.well-known/openid-configuration/), so you must have an issuer \
that matches the FDQNlocation of your server. There would be no conflict with them \
beingi the same value, but it might get a little confusing, and it most likely isn't \
an option.
I hope this helps,
Nate
> On Apr 26, 2024, at 9:38 AM, Schwendner, Joanne via users <users@shibboleth.net> \
> wrote:
>
> We are preparing to add OIDC support to our IDP (4.2.1) and are unsure about what \
> identifier to use for OIDC Issuer. The doc says
> "...while it may be the same as one's SAML entityID, it often cannot be, as SAML \
> does not conflate identity and location in this fashion."
> I am an OIDC newbie, and am not clear on what that means. Maybe if it were stated \
> another way..? Is there a reason why the OIDC Issuer should NOT be the same as \
> our IDP SAML Issuer (Entity ID)? Would there be a conflict in the IDP between SAML \
> and OIDC if they're the same?
> Joanne
>
> ---
>
> Joanne Schwendner
> Identity Services
> Office of Information Technology
> Brown University
> --
> For Consortium Member technical support, see \
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send \
> an email to users-unsubscribe@shibboleth.net
--
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic