RE: [saml-dev] Using HTTP Redirect to send a Response? Profiles spec sa

saml-dev message

Subject: RE: [saml-dev] Using HTTP Redirect to send a Response? Profiles spec says no. Bindings spec says yes. Which is correct?

From: "Cahill, Conor P" <conor.p.cahill@intel.com>

To: "Costello, Roger L." <costello@mitre.org>,<saml-dev@lists.oasis-open.org>

Date: Thu, 18 May 2006 09:07:13 -0700

The portion of the Profile spec you refer to is talking about the Browser SSO profile -- in that profile of SAML you MUST NOT use an HTTP-Redirect (you can, of course, use an Artifact via HTTP-Redirect to represent the response). That doesn't mean there aren't other profiles of SAML that could use the HTTP-Redirect for a response message.

In fact, the example in the Bindings is of an SLO profile message.

Conor

From: Costello, Roger L. [mailto:costello@mitre.org]
Sent: Thursday, May 18, 2006 11:57 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Using HTTP Redirect to send a Response? Profiles spec says no. Bindings spec says yes. Which is correct?

Hi Folks,

In section 4.1.2, bullet 5 of the Profiles specification it says: “The HTTP Redirect binding MUST NOT be used [for sending a Response to a Service Provider], as the response will typically exceed the URL length permitted by most user agents”.

In the Bindings specification, in 3.4.8 it shows an example of using HTTP Redirect to send a Response to a Service Provider.

So, the Profiles spec says that HTTP Redirect must not be used, whereas the Bindings spec says that HTTP Redirect can be used. Which is correct? /Roger