[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: OIDC Issuer value
From:       Nate Klingenstein <ndk () sudonym ! me>
Date:       2024-04-26 16:09:52
Message-ID: B6510987-907C-4427-8EF8-363E90BF252A () sudonym ! me
[Download RAW message or body]

Joanne,

It just means that the URI selected for your SAML entityID is supposed to be detached \
from your deployment. This means it can be any URI anywhere, as long as it's one you \
control. There is some common practice now for those URI's to resolve to SAML \
metadata, but I'd call it far from comprehensive.

Conversely, OIDC expects to find a specific file at a specific location on the \
recipient server (•/.well-known/openid-configuration/), so you must have an issuer \
that matches the FDQNlocation of your server. There would be no conflict with them \
beingi the same value, but it might get a little confusing, and it most likely isn't \
an option.

I hope this helps,
Nate

> On Apr 26, 2024, at 9:38 AM, Schwendner, Joanne via users <users@shibboleth.net> \
> wrote: 
> 
> We are preparing to add OIDC support to our IDP (4.2.1) and are unsure about what \
> identifier to use for OIDC Issuer.  The doc says 
> "...while it may be the same as one's SAML entityID, it often cannot be, as SAML \
> does not conflate identity and location in this fashion." 
> I am an OIDC newbie, and am not clear on what that means.  Maybe if it were stated \
> another way..?   Is there a reason why the OIDC Issuer should NOT be the same as \
> our IDP SAML Issuer (Entity ID)?  Would there be a conflict in the IDP between SAML \
> and OIDC if they're the same? 
> Joanne
> 
> ---
> 
> Joanne Schwendner
> Identity Services
> Office of Information Technology
> Brown University
> -- 
> For Consortium Member technical support, see \
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send \
> an email to users-unsubscribe@shibboleth.net

-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]