[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [security-services] AI-42: SAML error codes...
-----Original Message-----
From: Carlisle Adams [mailto:carlisle.adams@entrust.com]
Sent: Monday, February 03, 2003 5:31 PM
To: 'rphilpott@rsasecurity.com'; 'pmishra@netegrity.com'
Cc: 'security-services@lists.oasis-open.org'
Subject: [security-services] Question regarding SAML error codes...Hi,
I recently received a question from a SAML developer regarding error codes. Specifically, the developer was asking for
"...more detailed error information. Saml 1.0 leaves most of it to the vendors, which means automated error recovery (and possibly troubleshooting) is going to be difficult in multi-vendor environments."
When I asked for examples of what would be helpful, I got the following response:
I think there could be a code for each item in the message that might fail. Currently, the only specific error codes have to do with version mismatches and one about too many elements to be returned.
- digital signature validation failed (could get more specific wrt unknown signer DN, cryptographic problems, etc)
- missing digital signature
- bad artifact
- unknown sourceID
- unknown/expired assertionHandle (perhaps this isn't an error... for some reason, you're supposed to return "success" even if you can't/won't generate an assertion. I think there are different subcases here, and some are errors)
- request issueInstant is in the future
- request issueInstant is too far in the past (these two indicate a clock sync problem)
Would it be possible to discuss this briefly on tomorrow's call and see if there's any desire to include something along these lines in the 1.1 time frame?
Carlisle.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]