SAML 2.0 tech overview - initial diagrams

["John Hughes" <john.hughes@entegrity.com>]

A few weeks ago I said I would first concentrate on the diagrams and
descriptions of the profile/binding combinations we have agreed to be in the
technical overview - in order to review the bindings/profiles documents.
Attached is my initial output - showing the flow for the Web SSO profile
with POST binding.  I have drawn what I call "Service Provider initiated"
and "Identity Provider initiated" flows.  As a result of reading through the
profile/binding documents to draw the diagrams I have a few comments and
questions:

- The SP initiated flow is quite well described, however the IdP initiated
flow takes a bit of imagination.  Primarily the problem is that in line 332
in the profiles doc it says u can start looking at the IdP initiated flow
from section 4.1.3.5.  A reader going straight to this section would soon
get confused (I did).  An additional sentence in the paragraph to describe
the IdP initiated flow initial state would be useful.

- lines 354 and 355 in profiles - have a couples of "may"s - should they be
lower case?

- 4.1.3.3/lines 360/361.  The redirect to the SP IdP - nothing describes
what the redirect carries (or could carry) - nor whether its out of scope

- In both diagrams I show that the SP resource being served up could be
performed by the Assertion Consumer service - although of course that
service would redirect/transfer to the web server/servlet to perform the
actual resource GET/PUT.  Nothing is described at all in 4.1.3.6 about this.
The casual reader could be left "dangling" about this!  Or are we assuming
that readers will always read the Technical Overview to get the full
picture:-)


The comments are based on sstc-saml-profiles-2.0-draft-11 and on
sstc-saml-bindings-2.0-draft-13


John

web sso -post flow.pdf