OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] Is a separate "ArtifactReceiver" required?

> -----Original Message-----
> From: Kremp, Juergen [mailto:juergen.kremp@sap.com]
> Sent: Monday, December 02, 2002 11:16 AM
> To: saml-dev@lists.oasis-open.org
> Subject: [saml-dev] Is a separate "ArtifactReceiver" required?
> 
> Dear experts,
> 
> the "Bindings and Profiles" specification descibes the Web Browser SSO
> Profile of SAML.
> 
> In 4.1.1.4 (Step 2), the user browser is directed from the source site to
> the destination site.
> 
> The question is: What is the scope of the word "must" in the sentence:
> "The HTTP response MUST take the form".
> Does it only cover the grey shaded box or does it also cover the parts
> that describe the form of <SAMLSearchpart>???

[Rob] The scope applies to the grey box and the description under "Where:"
below the box.

> 
> My point is this:
> 
> Is it legal that the InterSiteTransfer service redirects the user browser
> directly to for example
> 
>    http://www.anycompany.com/application/resource&SAMLart=aabbccdd
> 
> (assuming that the used servlet container is capable of inspecting every
> URL request incoming).
> 

[Rob] It is NOT legal to use an HTTP response other than that described in
the document.  That is, it MUST use a URL formatted with
?TARGET=...&SAMLart=...

Note that the "?" begins URL parameters and also MUST be present.

> 
> Taking the chapter 4.1.1.4 by the heart the <SAMLSerchpart> "must" have
> the form TARGET=....&SAMLart=....
> and thus MUST have a TARGET parameter.
> 
> But sending a request like
> 
> 
> "http://www.anycompany.com/application/resource&TARGET=http://www.anycompa
> ny.com/application/resource&SAMLart=aabbccdd"
> 
> looks odd.
> 

[Rob] It should look like (note the first "&" should be "?"):
"http://www.anycompany.com/application/resource?TARGET=http://www.anycompany
.com/application/resource&SAMLart=aabbccdd"

Of course, I am assuming that "/application/resource" points to the artifact
receiver service in the target domain.  

Why does this look odd?  The TARGET and SAMLart are simply URL parameters to
the artifact receiver service.

> 
> 
> 
> Juergen Kremp
> SAP AG
> 
> ----------------------------------------------------------------
> To subscribe or unsubscribe from this elist use the subscription
> manager: http://lists.oasis-open.org/ob/adm.pl

Rob Philpott 
RSA Security Inc. 
The Most Trusted Name in e-Security 
Tel: 781-515-7115 
Mobile: 617-510-0893 
Fax: 781-515-7020 
mailto:rphilpott@rsasecurity.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC