[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] SAML User-Friendly? (bindings-6)
bindings model 6, line 534: "If the user is refused access to the desired resource, the destination site MUST return a HTTP "403 Forbidden" error code to the browser (step (6)). " What you return to a user (unlike a machine) is wrong to specify as a MUST. It is in most cases more appropriate to return HTTP 200 OK and display a message that says something useful like "You are not authorized to access this resource, please contact your local business administrator" Or "Your organization is unknown, get lost!" depending on what the reason for the rejection really is. Hopefully in a localized language as well. SAML does not support user-language I guess? ======================================= But that is just a breeze compared to the following: ======================================= If the target URL is wrong or the target server does not respond, the *user* if left with the misery and without the source site [the user's administrator] knowing it. That makes SAML only suitable for closed scenarios. Note: Shib does AFAIK not have this problem, only plain-vanilla SAML based on bindings-06. In OBI Express (tm), which will be the worlds first plug-and-play e-commerce standard, we augmented SAML (some sort of) with "WebServices" and got a much, much better system with respect to robustness, user-friendliness, and administration. Due to the extension mechanisms in SAML I think we will still be able to call us SAML-compliant! Anders Rundgren Trademarks: OBI is a trademark of CommerceNet
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC