Proposed change to POST-SimpleSign binding draft 02

["Scott Cantor" <cantor.2@osu.edu>]

My proposal to JeffH after last call was to address the question of how to
tell the difference between this binding and the original POST binding by
making this a compatible superset of the original.

To do that, I suggested that the Signature form parameter (the blob
signature) be used as a clear signal that this binding is being used.

Unsigned messages could be processed by an implementation of either POST
binding, and it's left to deployers and profiles to decide whether no
signature is allowable or not. Even now, we allow that, and it's up to the
SSO consumer to enforce the restriction that the assertion be signed.

But if you had a signed Response (signed as XML I mean), you should be
legally able to send it via the POST-SimpleSign binding as long as you also
include the simplified Signature as well.

The upshot is that there's just a single change to the last draft, making it
legal to leave the original XML Signature in place (right now it's a MUST to
remove it). There's no space limitation like with Redirect, which is where
the MUST came from.

As a result of the change, it will be possible for existing POST
implementations to easily update themselves to support this binding, or
layer their implementation of each one to share most of the same code.

-- Scott