OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [OASIS Issue Tracker] Commented: (SECURITY-6) PE: Conflict withcore in SSO profile on returning error Responses to SP



    [ http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18337#action_18337 ] 

Scott Cantor commented on SECURITY-6:
-------------------------------------

Practically speaking, I'm not sure what distinction results from making this a matter for implementation profiles defined elsewhere, since the only conformance testing being done these days is based on those profiles, not this one.

I'm not going to write up a bunch of security material on this for the simple reason that it isn't my issue to begin with. If we're not in agreement to change the text, I say we leave it.

But can I suggest you take this to the list and just ask to reopen the resolution on this? No sense debating it in Jira.

> PE: Conflict with core in SSO profile on returning error Responses to SP
> ------------------------------------------------------------------------
>
>                 Key: SECURITY-6
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-6
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Bug
>          Components: Profiles
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>            Assignee: Scott Cantor
>            Priority: Minor
>             Fix For: 2.0 incorporating Approved Errata
>
>
> Section 3.4.1.4 of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.
> Section 4.1.3.5 of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".
> The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]