OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: preserving query parameters in AssertionConsumerServiceURL

In the following AuthRequest, where the AssertionConsumerServiceURL contains all the query parameters necessary for my application to identify the user session: AssertionConsumerServiceURL=https://myserver:8080/ufs/user/framedResponse.jsp?app=ABC&esessionid=ABD08C9312D090FAFDBABCD98D591780
<?xml version="1.0" encoding="UTF-8"?><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://myserver:8080/ufs/user/framedResponse.jsp?app=ABC&amp;esessionid=ABD08C9312D090FAFDBABCD98D591780 " AttributeConsumingServiceIndex="42" ForceAuthn="true" ID="XgprlSg6nkMfSkcnnh-esa" IssueInstant="2009-03-23T14:15:18Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="TEST" Version="2.0"><saml:Issuer>com.test/user/framedresponse</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/><samlp:RequestedAuthnContext Comparison="minimum"><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken</saml:AuthnContextClassRef><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>
However, the decoded SAMLResponse is sent to /ufs/user/framedResponse.jsp?app=ABC without the necessary esessionid parameter.
I am trying to argue with the Assertion providers that this violates the SAML standard, but I have failed to back this up with appropriate references.
Could you help me argue my point that the AssertionConsumerServiceURL value should be used as it by the assertion provider, without modification?
Any help or pointer will be appreciated

Franck Schmidlin
Transformation Technical Consultant - Integration
Technical Architect - Northgate Hub

Northgate Public Services

Please consider the environment before printing this e-mail


This email is sent on behalf of Northgate Information Solutions Limited and its associated companies ("Northgate") and is strictly confidential and intended solely for the addressee(s). 

 If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate immediately on +44 (0)1442 232424 quoting the name of the sender and the addressee then delete it from your system.

 Northgate has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

 Northgate Information Solutions Limited. Registered in England no. 06442582  -  Northgate Information Solutions UK Limited. Registered in England no. 968498  -  NorthgateArinso UK Limited. Registered in England no. 1587537  -  Moorepay Limited.  Registered in England no. 891686  -  Northgate Land & Property Solutions Limited  -  Registered in England no. 2149536 Registered Office: Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire HP2 4NW

 Northgate Managed Services Limited (NI).  Registered in Northern Ireland no. NI032979  -  LearnServe Limited (NI).  Registered in Northern Ireland no. NI043825 Registered Office: Hillview House, 61 Church Road, Newtownabbey, Co. Antrim, BT36 7LQ

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]