[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Some tech overview comments
On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: > >> > >> The example XML in section 4.4.4 "Message Structure and the SOAP Binding" > >> shows an AuthnRequest and subsequent Response containing an assertion being > >> transported via a SOAP envelope. While I realize this is valid in the ECP > >> profile I think it is somewhat confusing at this point in this document. > >> The user's agent and the idea of a bearer token are important pieces of SAML > >> and this example seems to suggest that SSO can be accomplished without them. > >> > > Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think > > the SOAP example is perfectly valid here, as we are not claiming that > > this example is in the context of SSO (or any other context). > > It's valid, for sure. My concern wasn't the validity but only that it might > be a bit misleading/confusing for someone new to SAML (which is kind of the > target audience for this doc, right?). I believe there is some > misconception that SSO can be done by just making a SOAP call and I fear > that this example might compound that misconception. But the real fun of > web SSO (which is the main use case for SAML now) is the involvement of the > user agent. > > Admittedly it is kind of a nit, and if others don't think it's an issue, > I'll drop it. But I was thinking it may be more appropriate to show an > example of SAML message that is more commonly bound to SOAP - like logout or > artifact resolution. I agree with Brian here. SOAP is not required for SSO. That's a point we need to drive home as often as we can. The example in section 4.4.4 would be better served if it were an AttributeQuery, I think. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]