OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [saml-dev] Destination vs. Recipient and signing of Assertion vs. Response


On 11/22/07, Scott Cantor <cantor.2@osu.edu> wrote:
>
> I believe that the SSO profile says explicitly that you can sign
> either layer, but I don't have it in front of me right this second.

See the SAML V2.0 Errata document:

http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.pdf

Lines 625--630 say the following:

Original at Section 4.1.4.5, lines 600-601:
If the HTTP POST binding is used to deliver the <Response>, the
enclosed assertion(s) MUST be signed.

New at Section 4.1.4.5, lines 600-601:
If the HTTP POST binding is used to deliver the <Response>, each
assertion MUST be protected by a digital signature. This can be
accomplished by signing each individual <Assertion> element or by
signing the <Response> element.

Hope this helps,
Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]