[Openid-specs-fastfed] WebFinger discovery using subdomains

[Matt Domsch]

I certainly think that discovery via a well-known DNS entry is simplest for most organizations with the common config of having a single IDP for a single domain name.  Sanz does allow for records to be scoped by email address as well, should that need arise, though I’d consider it DNS pollution to have to put all email addresses into DNS for this discovery purpose when few would in practice be used. Maybe a BCP specifies an email address to be used for such discovery (e.g. discovery-it at example.com<mailto:discovery-it at example.com> and discovery at example.com<mailto:discovery at example.com> when multiple IDPs are in use for subsets of the population.

Karl, would you expect to add a new tag=value pair the _openid TXT record specified in Sanz, or create a new _fastfed TXT record, similar to but separate from _openid?  Given that FastFed uses, but it separate from, OIDC, SAML, and SCIM, I’d think the latter would be most appropriate, and would require the least coordination with other WGs and standards bodies.

My only concern with DNS comes from Sanz section 5, which requires DNSSEC to be valid.  In practice this is still not widely-enough used.

Thanks,
Matt

Matt Domsch
VP, Lead Corporate Architect
matt.domsch at sailpoint.com<mailto:matt.domsch at sailpoint.com>
mobile: 512-981-6486
www.sailpoint.com<http://www.sailpoint.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191218/d364ad29/attachment.html>