RE: [security-services] JIRA SECURITY-6 PE: Conflict with core in SSO profile on returning error Responses to SP

["Scott Cantor" <cantor.2@osu.edu>]

> I agree that there is a conflict between the current texts in Core and
> Profiles in terms of MUST vs. SHOULD, but if that can be resolved without
> changing the underlying nature of the guidance to implementers, I think
that
> would be a cleaner result.

I proposed the following compromise wording for Kantara:

"Identity Provider implementations MUST support the issuance of
<saml2p:Response> messages (with appropriate status codes) in the event that
authentication of the user is unsuccessful, provided that the user agent
remains available and an acceptable location to which to deliver the
response is available."

For errata purposes, I would s/MUST/SHOULD.

I'd probably also hold open the issue on our side pending finalization of
the language in the profile there. My feeling is that it's insufficient and
overly specific to talk only about "authn of the user", but I don't know
what else to say.

-- Scott