OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

>> I am a bit confused from your answer because my question was about the
>> SAML 2.0 standard and not about any concrete implementation or personal
>> preference. Could you or anybody else in the mailing list give a short
>> real life example when AssertionConsumerServiceURL and when
>> AssertionConsumerServiceIndex should be used?

Either you want to know what the standard says, or you want real life input.
Which would you prefer? Real life input involves the person answering using
their personal opinion and experience with implementations to answer your
question, which is what I did. I don't much like indexes and they have a
variety of drawbacks, the lone exception being they save space. If that's
not important, I see no reason to use them at all and suggest that people
don't. But that's a personal opinion.

As far as the standard is concerned, I agree with Tom that while there are
some edge cases worth discussing, such as the query string issue, the
explicit processing rules associated with using indexes vs. ACSURL +
ProtocolBinding attributes are fairly clear. You can either send the
location by reference or value. Pretty typical stuff. If something there is
unclear, I'll answer further.

> Second, the only  time it
> seems to make sense to use one of these attributes is when the request
> is signed (which has already been pointed out, I think).

I'm not sure why that would be the conclusion. What signing does, as was
pointed out, is give you a plausible reason to ignore the metadata checking
of the location. Absent a signature, you have to perform some kind of check,
or simply not worry about who the data's going to, use encryption, or
whatever.

But the ability to specify the location, using either method, is still
useful without signing. You may not even have metadata for the SP, as in a
case with the user handling consent. Or the SP may want to specify the
outbound binding for various reasons.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]