[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML error responses & security
Hello, the SAML 2 specs contain language for most of the protocols and bindings that seems to _require_ an entity to send a SAML response, even for indicating errors: * Web SSO Profile (SAMLProf, 519/20): "If the identity provider cannot or will not satisfy the request, it MUST respond with a <Response> message containing an appropriate error status code or codes." * SLO profile (SAMLProf, 1256-59) "After processing the message or upon encountering an error, the entity MUST issue a <LogoutResponse> message containing an appropriate status code to the requesting identity provider to complete the SAML protocol exchange." * Redirect Binding (SAMLBind, 682/83) "HTTP interactions during the message exchange MUST NOT use HTTP error status codes to indicate failures in SAML processing, since the user agent is not a full party to the SAML protocol exchange." Now there may be situations where it seems favorable not to respond for security reasons. Am I missing something or would not responding be a violation of the spec in many cases? Regards, Andreas -- Andreas Vallen Software Engineer Tel: +49 721 96448-132 Fax: +49 721 96448-299 andreas.vallen@fun.de fun communications GmbH Lorenzstrasse 29 D-76135 Karlsruhe Geschäftsführer Stefan Bamberg, Johannes Feulner, Klaus Nahr Amtsgericht Mannheim HRB 106906 www.fun.de
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]