[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] preserving query parameters in AssertionConsumerServiceURL
On Tue, Apr 14, 2009 at 3:09 AM, Mihaylov, Dimitar <dimitar.mihaylov@sap.com> wrote: > > I am a bit confused from your answer because my question was about the > SAML 2.0 standard and not about any concrete implementation or personal > preference. Could you or anybody else in the mailing list give a short > real life example when AssertionConsumerServiceURL and when > AssertionConsumerServiceIndex should be used? At the risk of prolonging a thread that has already gone on too long IMO, I'll contribute my two cents. First, I don't think the standard is broken in any way with respect to AssertionConsumerServiceURL and AssertionConsumerServiceIndex attributes. Second, the only time it seems to make sense to use one of these attributes is when the request is signed (which has already been pointed out, I think). And third, it depends on the given profile how the requirements of Core should be met, and this issue is no exception. With respect to the latter, I think the Web Browser SSO Profile does an adequate job of specifying the AssertionConsumerServiceURL and AssertionConsumerServiceIndex attributes. As another example, see the Holder-of-Key Web Browser SSO Profile: http://wiki.oasis-open.org/security/SamlHoKWebSSOProfile Note that the latter is in Public Review at this very moment, so your comments are encouraged. Tom > -----Original Message----- > From: Scott Cantor [mailto:cantor.2@osu.edu] > Sent: Thursday, April 09, 2009 5:35 PM > To: Mihaylov, Dimitar > Cc: saml-dev@lists.oasis-open.org > Subject: RE: [saml-dev] preserving query parameters in > AssertionConsumerServiceURL > > Mihaylov, Dimitar wrote on 2009-04-09: >> One final question for my understanding - if the received >> AssertionConsumerServiceURL should always be exactly checked against > the >> metadata why not using then the AssertionConsumerServiceIndex? It will >> be much cheaper. I don't see the point of having two mutually > exclusive >> approaches for the same functionality. > > Indexing came from Liberty, probably to save space. I don't like it much > because it entangles things quite a bit so that the indexing matches, > and it > precludes the ability to respond to SPs for which you don't have > metadata > using a default policy of some sort. > > As for being "much cheaper", I don't know what that means, unless you > mean > space. > > -- Scott > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: saml-dev-help@lists.oasis-open.org > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]