[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] Is a separate "ArtifactReceiver" required?
> -----Original Message----- > From: Kremp, Juergen [mailto:juergen.kremp@sap.com] > Sent: Monday, December 02, 2002 11:16 AM > To: saml-dev@lists.oasis-open.org > Subject: [saml-dev] Is a separate "ArtifactReceiver" required? > > Dear experts, > > the "Bindings and Profiles" specification descibes the Web Browser SSO > Profile of SAML. > > In 4.1.1.4 (Step 2), the user browser is directed from the source site to > the destination site. > > The question is: What is the scope of the word "must" in the sentence: > "The HTTP response MUST take the form". > Does it only cover the grey shaded box or does it also cover the parts > that describe the form of <SAMLSearchpart>??? [Rob] The scope applies to the grey box and the description under "Where:" below the box. > > My point is this: > > Is it legal that the InterSiteTransfer service redirects the user browser > directly to for example > > http://www.anycompany.com/application/resource&SAMLart=aabbccdd > > (assuming that the used servlet container is capable of inspecting every > URL request incoming). > [Rob] It is NOT legal to use an HTTP response other than that described in the document. That is, it MUST use a URL formatted with ?TARGET=...&SAMLart=... Note that the "?" begins URL parameters and also MUST be present. > > Taking the chapter 4.1.1.4 by the heart the <SAMLSerchpart> "must" have > the form TARGET=....&SAMLart=.... > and thus MUST have a TARGET parameter. > > But sending a request like > > > "http://www.anycompany.com/application/resource&TARGET=http://www.anycompa > ny.com/application/resource&SAMLart=aabbccdd" > > looks odd. > [Rob] It should look like (note the first "&" should be "?"): "http://www.anycompany.com/application/resource?TARGET=http://www.anycompany .com/application/resource&SAMLart=aabbccdd" Of course, I am assuming that "/application/resource" points to the artifact receiver service in the target domain. Why does this look odd? The TARGET and SAMLart are simply URL parameters to the artifact receiver service. > > > > Juergen Kremp > SAP AG > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: http://lists.oasis-open.org/ob/adm.pl Rob Philpott RSA Security Inc. The Most Trusted Name in e-Security Tel: 781-515-7115 Mobile: 617-510-0893 Fax: 781-515-7020 mailto:rphilpott@rsasecurity.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC