RE: [security-services] question on MNI request for SP Lite/IdP Lite

["Scott Cantor" <cantor.2@osu.edu>]

Kyle Meadors wrote on 2009-03-25:
> I agree this is an odd situation. At the heart of it, it is a question of
> 1.) what is the difference between SP/IdP and SP Lite/IdP Lite and 2.) how
> do you prove an application can switch between the two modes.

Right, and I think it's an artificial distinction and isn't really expressed
well in the spec. There's no reason why somebody who's an SP should have to
prove they can do SP Lite, because it should be a superset.

What you *use* in a deployment is then reflected in the metadata so there's
no confusion.

> For a SP Lite/IdP Lite only application that does not define a MNI
endpoint,
> you couldn't use this test case, nor would you want to. However, we are
> getting companies in the test events which want to certify their products
as
> both SP/IdP and SP Lite/IdP Lite. For these products, they do define a MNI
> endpoint in their metadata, but claim to be able to switch this
> functionality on/off.

Right, but that should be reflected in the metadata, and switching modes
should result in different support being advertised. It might also cause the
product to implement particular features differently, but that's an internal
detail.

> But as we (Liberty LCRT, DGI, test participants) discussed this, we were
> unsure exactly how to approach this. There was some confusion on the
nature
> of the difference between SP/IdP and their Lite modes. Is it simply not
> listening on an MNI endpoint and thus not accepting MNIRequests or is it
> something deeper?

I think it could be either, but it's far more important (as we discussed
separately recently) that the metadata be correct for whatever the case is.

It shouldn't be a normal thing that somebody just returns errors from an
endpoint they document. The peer obviously has to handle errors, but it's
bad form to do that kind of thing IMHO.

-- Scott