[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] ECP and PAOS
ext Scott Cantor wrote: >>In liberty PAOS spec, the examples (at the end of section 8) >>imply that Correlation Header (from liberty soap binding spec) >>to be included as a SOAP header (in addition to PAOS request >>header) in both PAOS request and response messages. >> >> > >I didn't recall any dependency in PAOS on that SOAP binding spec, but PAOS >is the authority on this part, not SAML. It's just a call out to whatever it >says to do. > > There is no normative dependency on the Liberty ID-WSF SOAP Binding Specification [1], and thus no need to include a Correlation header block, unless the service being exposed over PAOS [2] conforms to the Liberty ID-WSF SOAP Binding Specification (to which the SAML2 ECP service as specified does not). > > >>In SAML2 profile spec ECP-related sections 4.2.4.3 and >>4.2.4.5, the examples do not include the Correlation header. >> >> > >If PAOS requires it, then this should be SAML errata, but always take >examples with serious salt, they aren't normative. > > It's an example, and if there's any errata, it should be on the PAOS specification to note that this example is non-normative ;) > > >>So the question is if I'm implementing ECP, SP and IDP support >>for ECP, do I include this correlation header or not ? >> >> > >I'll let the PAOS experts answer that. > > Only if you wish to additionally have your ECP conform to the Liberty ID-WSF SOAP Binding, but that is not required by the PAOS or SAML 2 specifications. - JohnK [1] https://www.projectliberty.org/specs/draft-liberty-idwsf-soap-binding-v2.0-01.pdf [2] https://www.projectliberty.org/specs/draft-liberty-paos-v2.0-01.pdf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]