Comments on Technical Overview Draft 01

[Thomas Wisniewski <Thomas.Wisniewski@entrust.com>]

Title: Comments on Technical Overview Draft 01

John, Eve, I read thru the Draft 01 July 22 2004 version. Here are some comments.

1. Currently the paper focuses on the login (SSO) use cases. It provides all the possible combinations of binding (for an authn request and response). Perhaps it may be beneficial to narrow this down to only the binding permutations specified in the conformance document. The concern is what will be done for the other profiles (e.g., MNI and Logout). This could become fairly complicated for Logout. You may want to just use a front channel HTTP redirect (SP and IDP initiated use case) and a soap bindng (SP and IDP initiated use case). I.e., only 4 use cases in total -- where the logout is done completely over front channel or back channel (and not mixing the two).

2. The Federation Use Case seems to suggest the Name ID Mapping profile. However, this the SSO profile (with MNI) can be used to do standard ID federation. Perhaps this should be a subcase under the SSO use cases and one under a Name ID Mapping use case.

3. Section 4.1.8, It's not well defined whether the query string parameter TARGET should be used throughout (including sending the Response to the SP). Vs using the RelayState parameter (which is suggested in the Saml Specs). Same goes for section 4.1.9.

4. line 135 s/its/it's/

5. line 178 s/to have to have/to have/

6. line 903 - xml enc is not imported into protocols.

7. line 911, attributeDesignator is not relevant.

8. line 930, There is no AssertionURIReference element. I believe you are referring to the query string parameter "ID" that can be used to query an assertion id via a URL.

Thomas Wisniewski
Software Architect
Phone: (201) 891-0524
Cell: (201) 248-3668
 
Entrust
Securing Digital Identities
& Information
<http://www.entrust.com>