OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Questions about ECP Profile

> I'm not sure what a SOAP-bound request would entail.  For an
> AuthnRequest, the specifications state that the enhanced client should
> strip the PAOS and ECP headers from the SOAP message before sending to
> the IdP, so it would be a basic SOAP message with an AuthnRequest in the
> body.


> In an unsolicited case, the message would consist of a SOAP
> envelope with an empty body, since there is no AuthnRequest.

That's exactly my point, you create one and spoof the SP. To do that in the
face of signing isn't possible, which is where the notion of a third- party
request extension came from.

I'm just saying that that's as likely as any other hack to trigger an
unsolicited response. Otherwise, there is no spec for it, any more than
there was in SAML 1.1 (where all responses were effective unsolicited and
these same questions come up).

Going forward, this is not the model I would suggest for future profiles.
Splitting "get token" with "deliver token" and using other techniques (e.g.
WS-SecurityPolicy profiles) to establish the right content for an
AuthnRequest issued by the client to the IdP is a better strategy.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]