[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Request for failure reason in SAML responses
I suggest adding the reason as an attribute of ResponseType;: in draft-sstc-scheme-protocol-15.xsd:
<xsd:complexType name="ResponseType">
<xsd:complexContent>
<xsd:extension base="samlp:ResponseAbstractType">
<xsd:sequence>
<xsd:element ref="saml:Assertion" minOccurs="0"
maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="StatusCode" type="samlp:StatusCodeType"
use="required"/>
<xsd:attribute name="Reason" type="string"
use="optional"/>
</xsd:extension>
</xsd:complexContent>
</xsd:complexType>
Usage examples:
<SAMLResponse ResponseID="{uuid-like-thing}"
InResponseTo="{another-uuid-like-thing}"
MajorVersion="1" MinorVersion="0"
StatusCode="Failure"
Reason="SAML Server could not connect to its database: ODBC
error something..."/>
<SAMLResponse ResponseID="{uuid-like-thing}"
InResponseTo="{another-uuid-like-thing}"
MajorVersion="1" MinorVersion="0"
StatusCode="Error"
Reason="Artifact type code 0xffff not supported"/>
Security consideration:
Care should be taken by SAML implementators and deployers not to reveal
information about the state of a deployment or a request that could be
exploited by an attacker (Bob's "Hints to the Attacker" from F2F #3). A
SAML site might turn on reason reporting during initial deployment and
testing to help shake out configuration problems, and then turn off reason
reporting for production.
begin:vcard n:Knouse;Charles tel;fax:408-861-6811 tel;work:408-861-6890 x-mozilla-html:TRUE url:www.oblix.com org:Oblix;Engineering adr:;;18922 Forge Drive;Cupertino;CA;95014;USA version:2.1 email;internet:cknouse@oblix.com title:Principal Software Engineer fn:Charles Knouse end:vcard
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC