OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML error responses & security


the SAML 2 specs contain language for most of the protocols and bindings that seems to 
_require_ an entity to send a SAML response, even for indicating errors:

* Web SSO Profile (SAMLProf, 519/20):

"If the identity provider cannot or will not satisfy the request, it MUST respond with a 
<Response> message containing an appropriate error status code or codes."

* SLO profile (SAMLProf, 1256-59)

"After processing the message or upon encountering an error, the entity MUST issue a
<LogoutResponse> message containing an appropriate status code to the requesting identity 
provider to complete the SAML protocol exchange."

* Redirect Binding (SAMLBind, 682/83)

"HTTP interactions during the message exchange MUST NOT use HTTP error status codes to 
indicate failures in SAML processing, since the user agent is not a full party to the SAML 
protocol exchange."

Now there may be situations where it seems favorable not to respond for security reasons. 
Am I missing something or would not responding be a violation of the spec in many cases?


Andreas Vallen  Software Engineer
Tel: +49 721 96448-132   Fax: +49 721 96448-299   andreas.vallen@fun.de
fun communications GmbH   Lorenzstrasse 29   D-76135 Karlsruhe
Geschäftsführer Stefan Bamberg, Johannes Feulner, Klaus Nahr
Amtsgericht Mannheim HRB 106906   www.fun.de

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]