OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SOAP Basic Authentication Handling in SAML 1.1

I’ve got a question about the correct behavior WRT Basic Authentication of the SOAP channel in SAML 1.1.


When a relying party and asserting party are configured to use Basic authentication for the SOAP channel, if the relying party sends a SOAP request to an asserting party without the header that includes the username and password, how should the asserting party respond?  Should it return a 401 or a 403?  At the interop event at the RSA show, we found that different implementations acted differently leading to issues with interoperability.   I couldn’t find any mention of the correct behavior in the SAML or SOAP specs.






Darren Platt

Director of Solutions Architecture

Ping Identity Corporation


Direct: 303.468.2853

Mobile: 303.775.6212


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]