Re: [saml-dev] Response Processing

["Tom Scavo" <trscavo@gmail.com>]

On Thu, Dec 18, 2008 at 3:20 AM, Luh, Torsten <torsten.luh@sap.com> wrote:
>
> I have a question regarding the Response Processing. The profile standard
> contains the sections "<Response> Usage" (4.1.4.2) and "<Response> Message
> Processing Rules" (4.1.4.3).

It would help if you said what specification you are referring to
(there are many).

> Obviously, the latter section is only relevant
> for SPs. However, I am wondering what about the former section, is it only
> relevant for the IDP that is issuing the response? As an example, the
> section mentions that "If multiple assertions are included, then each
> assertion's <Subject> element MUST refer to the same principal.". It is
> clear that the IDP must ensure that when issueing the response. But does the
> SP also need to check this?

Is there normative language to that effect?  If not, then no, the SP
does not need to check it.

> Or does section 4.1.4.3 contain the complete
> processing rules for the SP?

That's always a good question, and quite possibly it's why OASIS now
requires that every specification have a conformance section, so that
authors make this clear to their readers.

> Another issue that was discussed internally refers to multiple assertions in
> the response (SSO profile). If multiple assertions are present in a
> response, is it sufficient to rely on the first valid assertion or is it
> necessary to ensure that all assertions are valid in order to rely on an
> arbitrary one?

There's nothing preventing the SP from relying on the first of
multiple assertions.

Tom