[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] ECP profile question
I'll re-open the errata and we can discuss on next call. If you have proposed corrections, please submit to the list. Jahan > -----Original Message----- > From: Brian Campbell [mailto:bcampbell@pingidentity.com] > Sent: Thursday, February 02, 2006 11:14 AM > To: Scott Cantor; security-services@lists.oasis-open.org > Subject: RE: [security-services] ECP profile question > > > > > It seems like this example would still require the ECP to send a > SOAP > > > fault response to the service provider. No? > > > > I haven't looked closely at it, but if they don't match, it's wrong. > > > I believe it is wrong so we should probably re-open that errata item. > > > > > Why have the AssertionConsumerServiceURL at all? Why not > just have > the > > > ECP always deliver the response to the responseConsumerURL? > > > > The IdP is the one who knows where it's authorized to send PII about > the > > user to a given provider. The client typically is deferring this to > the > > IdP > > in order to keep it minimal (but with the usual privacy costs). > > > > The cross-check itself is to block a MitM attack where somebody > intercepts > > the SP's response and redirects the ECP to tell it to send the > response to > > it. The IdP has the metadata and the ECP authenticates it, > so it knows > if > > it's being told to send the response elsewhere, something's wrong. > > Fair enough. > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS > TC that generates this mail. You may a link to this group > and all your TCs in OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr > oups.php > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]