SAML Tech OV Comments (on draft 7)

John, nice job articulating the fed cases. Here are some comments on draft 7:

line 236: s/by either/by a/

line 463 s/provided by WSS/provided WSS/

line 576: s/request is "pushed"/request "pushed"/

line 622 s/may obtain/may provider obtain/

line 630: s/an/current an/

General comment regarding Artifact Resolution Service in the multiple diagrams/text. Basically, do you use SAML Responder but rather call this box Artifact Resolution Service (just like you have Assertion Consumer Service or Single Sign-On Service). Also, in figure 16 (and in figure 19) you have a step like Redirectwith <AuthnRequest>. The Authn Request is not present here. Instead ths should look like "POST SAMLart", then "SAMLart in HTML Form" -- basically identical to figure 17.

line 873: says that the figure shows an HTML form -- but the figure actually shows a Redirect. If you change this based on my comment above to be "POST SAMLart" then the text on line 873 will be correct.

Section 4.4.1 (persistent and transient IDs). I'm not sure whether we should qualify these with SAML (e.g., SAML persistent identifiers, and SAML transient identifiers). The use cases are talking about these 2 SAML formats defined in the spec, so perhaps it makes sense to qualify them -- at least on lines 1031, 1034, 1093, and 1164.

line 1041: s/Band/band/

line 1045: note that when you mention "persistent identifiers" in this use case, you are NOT talking about SAML persistent identifiers but rather using the adjective persistent to mean the ids persists at the provider sites. Perhaps change the text to say "This form of account linking uses identifiers that persist at the corresponding sites."

line 1081 (as well as probably 7 more locations in this chapter): s/The member level attribute ("gold")/The attributes "gold member"/

line 1096: fix the text "examples will shall illustrate"

line 1101: s/latter/later/

figure 26 and 27: I'm not sure what the top left most data implies (i.e., "jdoe" User based account). I would suggest removing this. Or perhaps creating a corresponding entry at the IDP as well.

line 1108 (as well as a few more locations in this chapter -- in the same spot): s/an HTTP/a HTTP/

line 1116 (as well as a few more locations in this chapter -- in the same spot): s/an HTML/a HTML/

line 1130 (as well as a few more locations in this chapter -- in the same spot): s/is created/created is/

Figure 27: In the SP table, for jroe, cahnage n/a to be 61612. The n/a can be defined for 15152 if you want, but the IDP name id is always valued (if the IDP is the originator -- which is the case in this example).

line 1165: s/but what/what/

line 1165: s/do not want/do want/ is this correct? Or were you trying to say something else here??

lines 1189 and 1211: s/"1357"/1357/

lines 1195 and 1217: s/based on/based in/

lines 1239, 1243, 1259, 1263: s/may be/is/ since we are using soap, dig sig is optional.

lines 1240 and 1260: s/signature, if necessary, ensuring//signature ensuring/

lines 1241 and 1261: s/provider/Provider/

line 1268: s/using the front channel HTTP Redirect binding/using the redirect binding/

line 1268: s/SOAP back channel binding/back channel/

line 1270: s/initiating/instigating/

Figure 30: Perhaps add SOAP on top of the 2 links.

Figure 31: Perhaps add SOAP on top of the 2 links.

Figure 32: Perhaps add HTTP Redirect on top of links 2 and 5; and add SOAP on top of links 3 and 4.

Figure 33: Perhaps add SOAP on top of the 4 links.

For the SSO Figures, perhaps add SOAP on top of the ArtifactRequest and ArtifactResolve links.

Figures 31 and 32: add to figure title "...- service provider initiated" to align with Figure 33.

Figure 33: Change link labels 3 and 4. The idea is that you contact each one individually. So you would call Car Rental with a Logout Request and then get back a Logout Response. Then you would call Hotel Inc, etc....

line 1463: extra tabs after [XACML]

Tom.

security-services message