Re: [security-services] underspecified behavior forAuthenticationQuery ?

[Emily Xu <Emily.Xu@Sun.COM>]

This is just to clarify what should be the correct behavior in this topic. Say 
we have a request like this:

<samlp:Request ..>
	<saml:AssertionID>12345</saml:AssertionID>
<samlp:Request>

Scenario #1: The responder couldn't find the assertion matching the AsertionID 
12345 because it's not in the responder's assertion store, or the assertion was 
issued for a site different than the requester.

Scenario #2: The responder found the assertion. But the assertion is expired 
(time is not in the period between NotBefore and NotOnOrAfter in Conditions).

For these two scenarios, do they qualify for an error, or should we return 
success and an optional <statusMessage> to list the reason?

Thanks,
Emily


> my understanding is that the correct response is 
> a), success, with an additional (optional)
> <statusMessage> indicating that no assertions
> could be returned. Any other error code indicates
> an *error*, which is not the case here.
> 
> I could not find an explicit statement saying this in 
> the core-27. My suggestion would be to add a 
> section titled "Processing Rules for Queries" with
> the language:
> 
>  
> If the responder cannot find any assertions that satisfy the
> constraints expressed by a query, the <saml:Response> element
> MUST include a <saml:StatusCode> with value "Success". It MAY return
> a <saml:StatusMessage> with additional information.
> 
> My suggestion would be to place this in section 3.4.4,
> with the current contents of 3.4.4 placed in a sub-section
> (3.4.4.1), as these are an additional elaboration of the 
> query processing rules.
> 
> 
> - prateek
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: <http://lists.oasis-open.org/ob/adm.pl>