Hi folks,
Lines 505-507 (section 4.1.1.6) of
the -02 draft B&P Word document state:
"If the source site is able to
find or construct the requested assertions, it responds with a
<samlp:Response> message
with the requested assertions. Otherwise, it returns an appropriate status
code, as defined within the selected SAML binding."
This is not really clear and will
probably be construed by the reader to mean either that a SAML error status
code should be returned in a samlp:Response or that a SOAP fault error should
be returned (assuming the "selected SAML binding" is SOAP over HTTPS). I
believe that we've all agreed that the "appropriate" result is to send a
samlp:Response with a status code set to "Success" but that the response
contains no assertions.
At least this is consistent with
what we state in -core regarding Query/Request processing. It is also
consistent with my research through the archives since I recalled this being
discussed once upon a time.
Last February, Dipak Chopra from
SAP submitted a lengthy list of comments/questions to the -comment list on the
specs. Hal fwd'ed the message to the main list. The link for the fwd'ed
message is:
http://lists.oasis-open.org/archives/security-services/200203/msg00026.html
Item 30 in that list
was:
"30. Bindings & Profiles Doc. If the assertion is
created at the time of
artifact creation and the request for this assertion
comes after the
assertion has expired, will the source site return the
expired assertion or
an error response or a successful response with no
assertion?
Prateek responded to a number of
the comments/questions on 8-Mar-02 in
message:
http://lists.oasis-open.org/archives/security-services/200203/msg00045.html
His specific response
was:
-----------------------------
[Prateek]
Any one
of the following responses is conformant: (1) no assertion is returned with
SUCCESS status code, (2) the expired assertion is returned with SUCCESS status
code.
-----------------------------
From what I can find in subsequent
minutes and email exchanges, there wasn't much more said about it and there
wasn't an action item to clarify it in B&P.
Soooo... since Prateek's response
clearly states the expected result and, as I mentioned, this is consistent
with what we state in -core regarding Query/Request processing, I would really
like to clarify the B&P text and treat it as an editorial/errata
change.
DOES ANYONE OBJECT to treating it
as such with the following replacement text:
"If the source site is able to
find or construct the requested assertions, it responds with a
<samlp:Response> message
with the requested assertions. Otherwise, it responds with a
<samlp:Response> message
with no assertions and a <samlp:StatusCode> element
with the value Success." This
would be consistent with the wording in -core.
Rob
Philpott
RSA
Security Inc.
The Most
Trusted Name in e-Security
Tel:
781-515-7115
Mobile:
617-510-0893
Fax:
781-515-7020
mailto:rphilpott@rsasecurity.com