RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

["Mihaylov, Dimitar" <dimitar.mihaylov@sap.com>]

Hi Scott,

One final question for my understanding - if the received
AssertionConsumerServiceURL should always be exactly checked against the
metadata why not using then the AssertionConsumerServiceIndex? It will
be much cheaper. I don't see the point of having two mutually exclusive
approaches for the same functionality.

Regards,

Dimitar 

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Wednesday, April 08, 2009 9:44 PM
To: 'Schmidlin, Franck'
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] preserving query parameters in
AssertionConsumerServiceURL

> For the record, the sessionId in my example is not an actual session
> encapsulating access, but one that differentiate different screen
> streams within the same session. Maybe I should have made the example
a
> bit more generic by using query parameters a to z.

That's fine, but you weren't claiming there was an attack vector
involved
either. ;-)

> I understand Scott argument, but basically it falls down to not being
> able to use the URL I want because the SP needs some reliable way to
> compare my AssertionConsumerURL with the metadata.

You mean the IdP. And yes, the spec requires *some* reliable way to do
it,
and from an implementation PoV, you can't just assume signed requests,
though that observation certainly is relevant in terms of how one might
avoid the check. But that doesn't solve the problem when they aren't
signed.

> Which feels like the application of the standard is skewed toward the
> implementation responder side.

Again, what would you propose the responder do exactly? It's not skewed
unless you can point out some other way to solve the problem. I guess it
won't help you, but at least it justifies the complaint. As it stands, I
don't see it.

> I can live with it, but unless the standard is amended to read "The
> AssertionConsumerURL MUST match the actual URL held in the metadata",
I
> don't think the standard has been fully implemented, or fully thought
> out.

I obviously don't agree, but errata are cheap. The obvious place for
that is
the metadata usage section of the profile, seems like.

-- Scott



---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org