[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] clarification of AuthnRequest protocol
Tom Scavo wrote: > In section 3.4.1.4 of Core, it says "The resulting assertion(s) MUST > contain a <saml:AudienceRestriction> element referencing the requester > as an acceptable relying party." What if the requester is in fact the > requested subject, but beyond that the relying party is unspecified? > What should the Audience value be in that case? Well, I think the intent behind the text was to preclude issuing assertions using that protocol that don't identify a relying party unless there's some overriding signal to do so. As stated, the protocol doesn't permit issuing unconstrained assertions. However, that text is really kind of meant as a set of "default" behavior if there's nothing in the request (or one could argue, a profile) to dictate otherwise. I think one could finesse around it easily enough by just spelling out what you want in a profile. Worst case, you short circuit that text by explicitly including an extension or something else that renders the "In the absence of any specific content at all" clause moot. But I wouldn't be against an errata there myself, it reads a bit strongly to me. That text was kind of there as a placeholder to get around the fact that the only concrete profile we had for the protocol was Web SSO, and I didn't want core to be constrained by its rules. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]