OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (SECURITY-6) PE: Conflict withcore in SSO profile on returning error Responses to SP


    [ http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18333#action_18333 ] 

Scott Cantor commented on SECURITY-6:
-------------------------------------

I think those are in fact not distinctions that some (I emphasize some) deployers want to make. Some people really feel that if you can return, you should. The intent of the language is to guide implementers to ensure that deployers can force such behavior if they choose.

I would agree that there are security considerations around all this, but that's a whole other set of errata.

> PE: Conflict with core in SSO profile on returning error Responses to SP
> ------------------------------------------------------------------------
>
>                 Key: SECURITY-6
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-6
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Bug
>          Components: Profiles
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>            Assignee: Scott Cantor
>            Priority: Minor
>             Fix For: 2.0 incorporating Approved Errata
>
>
> Section 3.4.1.4 of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.
> Section 4.1.3.5 of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".
> The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]