[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] ECP SSO Profile and Metadata
> Well, what's so special about this profile? I suspect, > that it involves an active intermediary? And that the > ultimate receiver is, essentially, required to reach > *over* the semantics of the immediate connection (SOAP) > to infer and predict the modalities of its remote and > once-removed peer? The intermediary here is like a relay station. From the perspective of the IdP, I don't see much difference. With all the bindings, returning an error is somewhat gray because you may not support a binding the SP needs to get the error. In this case, the profile says to deliver via PAOS, so if there's no such ACS, you're screwed and all you can do is fault back to the client, and then he should take over and deliver it to the responseConsumerURL. > A metadata section would be good. And what will it say > that would change what's already there? You ... MAY ... > publish metadata that says what the profile already > requires? No, it would nail down that the SSO Binding is SOAP and the ACS Binding is PAOS. Problem solved (as much as it can be). You MAY publish metadata. If you do, it MUST have X. Any time the SP includes anything, that info could be invalid. The index could be missing. The binding might not be one the IdP supports. The IdP has the freedom at any time to try and use the default if that makes sense or just return an error as best it can. > Well, the difference with the HTTP-* case is that you've > already received, directly (even if by proxy) the *peer's* > message, and the bindings require you make your ultimate > response in kind (perhaps composed with Artifact). > > Or is that all wrong? I think it's wrong because in the HTTP case, it's the same. I MAY NOT support a binding the SP expects me to use, or I MAY NOT be able to locate metadata validating the index I got, etc. So I MAY have to punt. Same thing here. The difference is that HTTP offers three bindings I can use, so the chances of that are slimmer. With ECP, it's currently PAOS or nothing. Of course, if the SP's bothering to initiate ECP, he'd better have a PAOS endpoint (and we can say that in the metadata section). -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]