OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP SSO Profile and Metadata

So, to resurect an earlier discussion:

> But sure, as a guideline, clearly any request ought to really carry
> *something*. Leaving it out entirely usally seems like a bad idea.

Might it not be useful to require the ACSURL+binding/ACSIndex in
the <AuthnRequest> when via ECP? (And not changing the paos:Request
semantics.)

--Nick

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu] 
> Sent: Thursday, June 23, 2005 08:10 AM
> To: 'Greg Whitehead'
> Cc: 'SAML'; 'Thomas Wisniewski'
> Subject: RE: [security-services] ECP SSO Profile and Metadata
> 
> 
> > Sure, and in my original message I think I mentioned that 
> the SP would 
> > either specify a PAOS AssertionConsumerService endpoint or 
> specify PAOS 
> > in ProtocolBinding. What I think we should advise against, 
> in the ECP 
> > case, is leaving the response binding completely unspecified, since 
> > then there is the potential for ambiguity at the IdP SOAP 
> > SingleSignOnService (if we define some other profile that 
> > uses SOAP at the IdP in the future).
> 
> Definitely, but I don't think it's possible to leave it completely
> unspecified, short of there being no default endpoint in the 
> metadata, which
> is more or less impossible.
> 
> The worst case scenario is you do SOAP in, and the default endpoint is
> something incompatible with that (HTTP based), although even 
> that's sort of
> a matter of opinion. A client could theoretically bang SOAP 
> in, and get back
> a redirect or form with the response. ;-)
> 
> But sure, as a guideline, clearly any request ought to really carry
> *something*. Leaving it out entirely usally seems like a bad idea.
> 
> -- Scott
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all 
> your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 
> 
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]