OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Updated: (SECURITY-6) PE: Conflict with corein SSO profile on returning error Responses to SP


     [ http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Scott Cantor updated SECURITY-6:
--------------------------------

      Proposal: 
Change text in 4.1.3.5 of Profiles to:

"Identity Provider implementations MUST/SHOULD support the issuance of
<saml2p:Response> messages (with appropriate status codes) in the event of
an error condition, provided that the user agent remains available and an
acceptable location to which to deliver the response is available. The
criteria for "acceptability" of a response location are not formally
specified, but are subject to Identity Provider policy and reflect its
responsibility to protect users from being sent to untrusted or possibly
malicious parties."

  was:
Change text in 4.1.3.5 of Profiles to:

"Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce and send an HTTP response to the user agent containing a <Response> message under any circumstances within its control, and implementations SHOULD provide deployers with the ability to guarantee responses where possible." 

    Resolution:   (was: Proposal accepted on 4/6/10 TC call.)

Changing proposal to reflect text agreed to by Ari on list.

> PE: Conflict with core in SSO profile on returning error Responses to SP
> ------------------------------------------------------------------------
>
>                 Key: SECURITY-6
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-6
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Bug
>          Components: Profiles
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>            Assignee: Scott Cantor
>            Priority: Minor
>             Fix For: 2.0 incorporating Approved Errata
>
>
> Section 3.4.1.4 of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.
> Section 4.1.3.5 of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".
> The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]