[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Questions about ECP Profile
> I'm not sure what a SOAP-bound request would entail. For an > AuthnRequest, the specifications state that the enhanced client should > strip the PAOS and ECP headers from the SOAP message before sending to > the IdP, so it would be a basic SOAP message with an AuthnRequest in the > body. Yes. > In an unsolicited case, the message would consist of a SOAP > envelope with an empty body, since there is no AuthnRequest. That's exactly my point, you create one and spoof the SP. To do that in the face of signing isn't possible, which is where the notion of a third- party request extension came from. I'm just saying that that's as likely as any other hack to trigger an unsolicited response. Otherwise, there is no spec for it, any more than there was in SAML 1.1 (where all responses were effective unsolicited and these same questions come up). Going forward, this is not the model I would suggest for future profiles. Splitting "get token" with "deliver token" and using other techniques (e.g. WS-SecurityPolicy profiles) to establish the right content for an AuthnRequest issued by the client to the IdP is a better strategy. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]