[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] Transient IDs and SAML Conformance
> I guess I would say that the definition of "process" here needs to be a bit > tighter --- and for a conformance spec, perhaps needs to go a bit beyond the > spec in terms of setting expectations. How can it be "legal" to process the ID successfully, and then return a SAML error? You can't return a SAML error from non-SAML code, so I think it's unambiguous to say "the SAML layer must successfully process the value without returning an error". We can't say what happens once the application at the SP gets control. But that's not a SAML error. SAML conformance can't include expectations about that, but I guess a conformance testing suite can just to determine whether something is working. > For example, with a Persistent ID, an implementation might claim to be > conformant even though it rejects all Persistent IDs --- but that would > eliminate the possibility of Single-Logout or NameID Management. Single Logout has nothing to do with persistent IDs, it works with any format because it's session-based. NameID Mgmt does, and no, you can't just ignore the messages by returning errors. But how can we control how somebody implements them? As I said at the time, I am within my rights to provide nothing but an API, and then at conformance test time, supply a dumb plugin that writes to a file, and is totally unsuitable for production use. Conformance can't determine quality. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]