OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

On Tue, Apr 14, 2009 at 3:09 AM, Mihaylov, Dimitar
<dimitar.mihaylov@sap.com> wrote:
> I am a bit confused from your answer because my question was about the
> SAML 2.0 standard and not about any concrete implementation or personal
> preference. Could you or anybody else in the mailing list give a short
> real life example when AssertionConsumerServiceURL and when
> AssertionConsumerServiceIndex should be used?

At the risk of prolonging a thread that has already gone on too long
IMO, I'll contribute my two cents.  First, I don't think the standard
is broken in any way with respect to AssertionConsumerServiceURL and
AssertionConsumerServiceIndex attributes.  Second, the only  time it
seems to make sense to use one of these attributes is when the request
is signed (which has already been pointed out, I think).  And third,
it depends on the given profile how the requirements of Core should be
met, and this issue is no exception.

With respect to the latter, I think the Web Browser SSO Profile does
an adequate job of specifying the AssertionConsumerServiceURL and
AssertionConsumerServiceIndex attributes.  As another example, see the
Holder-of-Key Web Browser SSO Profile:


Note that the latter is in Public Review at this very moment, so your
comments are encouraged.


> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Thursday, April 09, 2009 5:35 PM
> To: Mihaylov, Dimitar
> Cc: saml-dev@lists.oasis-open.org
> Subject: RE: [saml-dev] preserving query parameters in
> AssertionConsumerServiceURL
> Mihaylov, Dimitar wrote on 2009-04-09:
>> One final question for my understanding - if the received
>> AssertionConsumerServiceURL should always be exactly checked against
> the
>> metadata why not using then the AssertionConsumerServiceIndex? It will
>> be much cheaper. I don't see the point of having two mutually
> exclusive
>> approaches for the same functionality.
> Indexing came from Liberty, probably to save space. I don't like it much
> because it entangles things quite a bit so that the indexing matches,
> and it
> precludes the ability to respond to SPs for which you don't have
> metadata
> using a default policy of some sort.
> As for being "much cheaper", I don't know what that means, unless you
> mean
> space.
> -- Scott
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]