OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Response Processing

On Thu, Dec 18, 2008 at 3:20 AM, Luh, Torsten <torsten.luh@sap.com> wrote:
> I have a question regarding the Response Processing. The profile standard
> contains the sections "<Response> Usage" ( and "<Response> Message
> Processing Rules" (

It would help if you said what specification you are referring to
(there are many).

> Obviously, the latter section is only relevant
> for SPs. However, I am wondering what about the former section, is it only
> relevant for the IDP that is issuing the response? As an example, the
> section mentions that "If multiple assertions are included, then each
> assertion's <Subject> element MUST refer to the same principal.". It is
> clear that the IDP must ensure that when issueing the response. But does the
> SP also need to check this?

Is there normative language to that effect?  If not, then no, the SP
does not need to check it.

> Or does section contain the complete
> processing rules for the SP?

That's always a good question, and quite possibly it's why OASIS now
requires that every specification have a conformance section, so that
authors make this clear to their readers.

> Another issue that was discussed internally refers to multiple assertions in
> the response (SSO profile). If multiple assertions are present in a
> response, is it sufficient to rely on the first valid assertion or is it
> necessary to ensure that all assertions are valid in order to rely on an
> arbitrary one?

There's nothing preventing the SP from relying on the first of
multiple assertions.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]