RE: [security-services] ECP profile question

["Jahan Moreh" <jmoreh@sigaba.com>]

I'll re-open the errata and we can discuss on next call. If you have
proposed corrections, please submit to the list.

Jahan
 

> -----Original Message-----
> From: Brian Campbell [mailto:bcampbell@pingidentity.com] 
> Sent: Thursday, February 02, 2006 11:14 AM
> To: Scott Cantor; security-services@lists.oasis-open.org
> Subject: RE: [security-services] ECP profile question
> 
> 
> > > It seems like this example would still require the ECP to send a
> SOAP
> > > fault response to the service provider.  No?
> > 
> > I haven't looked closely at it, but if they don't match, it's wrong.
> 
> 
> I believe it is wrong so we should probably re-open that errata item.
> 
> 
> > > Why have the AssertionConsumerServiceURL at all?  Why not 
> just have
> the
> > > ECP always deliver the response to the responseConsumerURL?
> > 
> > The IdP is the one who knows where it's authorized to send PII about
> the
> > user to a given provider. The client typically is deferring this to
> the
> > IdP
> > in order to keep it minimal (but with the usual privacy costs).
> > 
> > The cross-check itself is to block a MitM attack where somebody
> intercepts
> > the SP's response and redirects the ECP to tell it to send the
> response to
> > it. The IdP has the metadata and the ECP authenticates it, 
> so it knows
> if
> > it's being told to send the response elsewhere, something's wrong.
> 
> Fair enough.
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS 
> TC that generates this mail.  You may a link to this group 
> and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
> oups.php 
> 
>