[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] HTTP error response code
>>>> Scenario: App to App (no intermediary Browser) >>>> >>> There's really no profile for that scenario in SAML proper, >>> so asking how it should work is sort of begging the question. >>> >> Let me see if I understand correctly: >> >> 1. Two applications directly exchanging SAML documents is not legal? >> >> 2. The only legal interaction patterns are those described in the >> profiles specification? >> >> 3. The semantics of SAML when used in interaction patterns not >> described in the profiles specification is undefined? >> >> Is that what is being stated? > No, I think Scott is simply saying there is no SAML 2.0 profile that > governs this situation. Others are free to specify additional > profiles of SAML. Good. Other interaction patterns are possible. So the answer to Prasanta's question is: There is no application-to-application interaction pattern specified by the SAML profile specification. It is up to you to define how things will work. Thus if the Service Provider receives an assertion that is invalid, you must decide how to handle it. Do I understand correctly how new interaction patterns are to be dealt with? I assume that the profiles described in the profiles specification are there because the interaction patterns they depict are common, right? /Roger
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]