It seems that from bindings
313-314, that if a Saml Responder or
Provider cannot process the request, then it would send a soap fault (vs. a SAML response msg). So some examples of this
include:
- the issuer name is not recognized at
all.
- requeset was not signed, but signature was
required.
- signature was
incorrect.
- the Destination attribute of the request did not
match the url the request was sent to.
The one that I'm not clear on
is:
- the version was not correct (e.g., the requested
major version is higher or minor version is higher and we don't handle
that, or the major version is lower). The core spec (ch 4) says we should reject
the request when there are issues with the major versions. But it's not clear
what reject means (pehaps I missed it in the spec). One could treat is as
above and send back a soap fault. But chapter 4 talks about possibly using the
Status second level code Version..... So this implies a Saml msg could be sent
back. So is the actual response (soap fault vs. Saml msg) up to the
implementer?
Thanks, Tom.