Re: [security-services] Some tech overview comments

["Tom Scavo" <trscavo@gmail.com>]

On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> >>
> >> The example XML in section 4.4.4 "Message Structure and the SOAP Binding"
> >> shows an AuthnRequest and subsequent Response containing an assertion being
> >> transported via a SOAP envelope.  While I realize this is valid in the ECP
> >> profile I think it is somewhat confusing at this point in this document.
> >> The user's agent and the idea of a bearer token are important pieces of SAML
> >> and this example seems to suggest that SSO can be accomplished without them.
> >>
> > Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think
> > the SOAP example is perfectly valid here, as we are not claiming that
> > this example is in the context of SSO (or any other context).
>
> It's valid, for sure.  My concern wasn't the validity but only that it might
> be a bit misleading/confusing for someone new to SAML (which is kind of the
> target audience for this doc, right?).  I believe there is some
> misconception that  SSO can be done by just making a SOAP call and I fear
> that this example might compound that misconception.  But the real fun of
> web SSO (which is the main use case for SAML now) is the involvement of the
> user agent.
>
> Admittedly it is kind of a nit, and if others don't think it's an issue,
> I'll drop it.  But I was thinking it may be more appropriate to show an
> example of SAML message that is more commonly bound to SOAP - like logout or
> artifact resolution.

I agree with Brian here.  SOAP is not required for SSO.  That's a
point we need to drive home as often as we can.  The example in
section 4.4.4 would be better served if it were an AttributeQuery, I
think.

Tom