Re: [saml-dev] Errors with HTTP redirect Binding

[valerie.bauche@bull.net]

It doesn't matter if the receiver is an SP or an Idp. The problem is that
with Http Redirect Binding we don't know who is the sender of the request,
we only know who is the user agent. So we need to analyse the SAML request
to discover the sender and establish which URL to use to send the SAML
response. If the identity found in the SAML request is unknown for the
receiver, it has no way to know which URL to use to send the SAML Response
to. So, a SAML response with appropriate error code has no utility if with
don't know where to send it !

Valerie


----- Reply to All the Original Message -----
Author: "Tom Scavo"
To: "valerie.bauche@bull.net"
Date: 13/06/2007 17:47:24
Cc: saml-dev
Subject: Re: [saml-dev] Errors with HTTP redirect Binding

> On 6/13/07, valerie.bauche@bull.net <valerie.bauche@bull.net> wrote:
> >
> > Specifications for redirect binding says :
> >
> > "HTTP interactions during the message exchange MUST NOT use HTTP error
> > status codes to indicate
> > failures in SAML processing, since the user agent is not a full party
to
> the
> > SAML protocol exchange."
> >
> > If a SP receive a request with this binding and the URI indicated in
the
> > issuer element of the request is unknown, the SP can't guess the URL of

> the
> > sender and then, can't send any response to it. So the only way is to
> send
> > an HTTP error status... Is it a contradiction with preceding "MUST NOT"
?
>
> Do you mean IdP above?  In any event, IdP behavior depends on the
> profile, and in the case of the Web Browser SSO Profile, section
> 4.1.4.1 in SAMLProf is definitive:
>
> "If the identity provider cannot or will not satisfy the request, it
> MUST respond with a <Response> message containing an appropriate error
> status code or codes."
>
> Did you have some other use of the Redirect Binding in mind?
>
> Hope this helps,
> Tom