OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] A browser/POST question...

I dont have a big issue with this but I do not really see this as
errata. Basically, it does not matter what the <saml:ConfirmationMethod>
is set to in the FORM/POST profile; it is never discussed in the profile. So
why explicitly
include a statement that says DONT use it? 

Scott, you have the most expeience with the POST profile. Do you end up
spending time discussing <saml:ConfirmationMethod>? Is clarity the real
issue here?

[Scott] 
The section is 4.1.2.5, line 743 of the 1.0 B&P document.

Current text reads:

"The <saml:ConfirmationMethod> element of each assertion MUST be set to
urn:oasis:names:tc:SAML:1.0:cm:bearer."

That text is actually a little muddled. I suggest a clarifying edit to
read:

Each statement subject included in the response MUST include a
<saml:ConfirmationMethod> element of
urn:oasis:names:tc:SAML:1.0:cm:bearer."

Then we can add:

"<saml:SubjectConfirmationData> SHOULD NOT be included."

[\Scott]

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]