OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

> For the record, the sessionId in my example is not an actual session
> encapsulating access, but one that differentiate different screen
> streams within the same session. Maybe I should have made the example a
> bit more generic by using query parameters a to z.

That's fine, but you weren't claiming there was an attack vector involved
either. ;-)

> I understand Scott argument, but basically it falls down to not being
> able to use the URL I want because the SP needs some reliable way to
> compare my AssertionConsumerURL with the metadata.

You mean the IdP. And yes, the spec requires *some* reliable way to do it,
and from an implementation PoV, you can't just assume signed requests,
though that observation certainly is relevant in terms of how one might
avoid the check. But that doesn't solve the problem when they aren't signed.

> Which feels like the application of the standard is skewed toward the
> implementation responder side.

Again, what would you propose the responder do exactly? It's not skewed
unless you can point out some other way to solve the problem. I guess it
won't help you, but at least it justifies the complaint. As it stands, I
don't see it.

> I can live with it, but unless the standard is amended to read "The
> AssertionConsumerURL MUST match the actual URL held in the metadata", I
> don't think the standard has been fully implemented, or fully thought
> out.

I obviously don't agree, but errata are cheap. The obvious place for that is
the metadata usage section of the profile, seems like.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]