Yet Another Delegation Thread
Dick Hardt
dick at sxip.com
Thu Oct 26 18:21:24 UTC 2006
On 26-Oct-06, at 8:27 AM, Josh Hoyt wrote:
> On 10/26/06, Dick Hardt <dick at sxip.com> wrote:
>> > * If the IdP-specific identifier is not checked by the relying
>> > party's discovery, the IdP MUST do discovery on every request to
>> > ensure that it's not making an assertion based on stale
>> information.
>>
>> Which is probably a good idea. :-)
>> If the IdP is sending both identifiers in a signed response, then
>> they both should be valid.
>
> Requiring this discovery adds another (redundant) HTTP request to the
> authentication process, which takes time. I'd like to be able to
> improve the "User Experience" by implementing an IdP that would verify
> the binding occasionally, but not *every time* the user authenticates.
I would assume that some caching of HTTP requests would be allowed
depending on the HTTP headers sent by the site serving the portable
identifier document. Since the IdP is likely involved in all identity
transactions for the user, there would be many cache hits and the
extra traffic not that significant. Note this is also a server to
server request, which should be much less significant then client to
server requests.
It would seem this all boils down to optimizing one potential HTTP
request.
Has anyone laid out how many requests happen in a transaction?
-- Dick
More information about the specs
mailing list