OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP SSO Profile and Metadata

> Well, what's so special about this profile? I suspect,
> that it involves an active intermediary? And that the
> ultimate receiver is, essentially, required to reach
> *over* the semantics of the immediate connection (SOAP)
> to infer and predict the modalities of its remote and
> once-removed peer?

The intermediary here is like a relay station. From the perspective of the
IdP, I don't see much difference. With all the bindings, returning an error
is somewhat gray because you may not support a binding the SP needs to get
the error. In this case, the profile says to deliver via PAOS, so if there's
no such ACS, you're screwed and all you can do is fault back to the client,
and then he should take over and deliver it to the responseConsumerURL.

> A metadata section would be good. And what will it say
> that would change what's already there? You ... MAY ... 
> publish metadata that says what the profile already
> requires?

No, it would nail down that the SSO Binding is SOAP and the ACS Binding is
PAOS. Problem solved (as much as it can be). You MAY publish metadata. If
you do, it MUST have X.

Any time the SP includes anything, that info could be invalid. The index
could be missing. The binding might not be one the IdP supports. The IdP has
the freedom at any time to try and use the default if that makes sense or
just return an error as best it can.

> Well, the difference with the HTTP-* case is that you've
> already received, directly (even if by proxy) the *peer's* 
> message, and the bindings require you make your ultimate
> response in kind (perhaps composed with Artifact).
> 
> Or is that all wrong?

I think it's wrong because in the HTTP case, it's the same. I MAY NOT
support a binding the SP expects me to use, or I MAY NOT be able to locate
metadata validating the index I got, etc. So I MAY have to punt. Same thing
here.

The difference is that HTTP offers three bindings I can use, so the chances
of that are slimmer. With ECP, it's currently PAOS or nothing. Of course, if
the SP's bothering to initiate ECP, he'd better have a PAOS endpoint (and we
can say that in the metadata section).

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]