[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML 2.0 tech overview - initial diagrams
A few weeks ago I said I would first concentrate on the diagrams and descriptions of the profile/binding combinations we have agreed to be in the technical overview - in order to review the bindings/profiles documents. Attached is my initial output - showing the flow for the Web SSO profile with POST binding. I have drawn what I call "Service Provider initiated" and "Identity Provider initiated" flows. As a result of reading through the profile/binding documents to draw the diagrams I have a few comments and questions: - The SP initiated flow is quite well described, however the IdP initiated flow takes a bit of imagination. Primarily the problem is that in line 332 in the profiles doc it says u can start looking at the IdP initiated flow from section 4.1.3.5. A reader going straight to this section would soon get confused (I did). An additional sentence in the paragraph to describe the IdP initiated flow initial state would be useful. - lines 354 and 355 in profiles - have a couples of "may"s - should they be lower case? - 4.1.3.3/lines 360/361. The redirect to the SP IdP - nothing describes what the redirect carries (or could carry) - nor whether its out of scope - In both diagrams I show that the SP resource being served up could be performed by the Assertion Consumer service - although of course that service would redirect/transfer to the web server/servlet to perform the actual resource GET/PUT. Nothing is described at all in 4.1.3.6 about this. The casual reader could be left "dangling" about this! Or are we assuming that readers will always read the Technical Overview to get the full picture:-) The comments are based on sstc-saml-profiles-2.0-draft-11 and on sstc-saml-bindings-2.0-draft-13 John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]