[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [saml-dev] Is a separate "ArtifactReceiver" required?
Dear experts, the "Bindings and Profiles" specification descibes the Web Browser SSO Profile of SAML. In 4.1.1.4 (Step 2), the user browser is directed from the source site to the destination site. The question is: What is the scope of the word "must" in the sentence: "The HTTP response MUST take the form". Does it only cover the grey shaded box or does it also cover the parts that describe the form of <SAMLSearchpart>??? My point is this: Is it legal that the InterSiteTransfer service redirects the user browser directly to for example http://www.anycompany.com/application/resource&SAMLart=aabbccdd (assuming that the used servlet container is capable of inspecting every URL request incoming). Taking the chapter 4.1.1.4 by the heart the <SAMLSerchpart> "must" have the form TARGET=....&SAMLart=.... and thus MUST have a TARGET parameter. But sending a request like "http://www.anycompany.com/application/resource&TARGET=http://www.anycompany.com/application/resource&SAMLart=aabbccdd" looks odd. Juergen Kremp SAP AG
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC