OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] supporting the AuthnRequest protocol


It is a requirement of the conformance spec that both IDP operational modes
MUST support the AuthnRequest message.  So if you want a conforming
implementation, you have to support the message over the indicated bindings,
which means you need the endpoint.  Thus IMO, it isn't a bug in the metadata
spec.

One could try to make a case that it wasn't necessary to mandate
SP-initiated SSO for IDP's in conformance.  However, we opted to include it
because the specification of SP-initiated SSO was a MAJOR use case that was
added as part of SAML 2.0.  I, at least, would not have supported defining
yet another IDP mode that only supported IDP-initiated SSO.

Rob Philpott | Senior Technologist | RSA, the Security Division of EMC
eMail: robert.philpott@rsa.com | Office: 781.515.7115 | Mobile: 617.510.0893


> -----Original Message-----
> From: Cantor, Scott [mailto:cantor.2@osu.edu]
> Sent: Sunday, March 17, 2013 3:24 PM
> To: Tom Scavo; SAML Developers
> Subject: Re: [saml-dev] supporting the AuthnRequest protocol
> 
> On 3/17/13 3:15 PM, "Tom Scavo" <trscavo@gmail.com> wrote:
> >
> >In metadata, however, the schema requires at least one
> >SingleSignOnService endpoint in every IDPSSODescriptor. That's
> >unfortunate since it forces every IdP (that relies on metadata) to
> >support SP-initiated SSO. An IdP that wishes to support IdP-initiated
> >SSO only is out of luck, at least in terms of metadata.
> 
> Unless you just define a binding to represent what IdP-initiated SSO
> really is, which is just a non-standard binding for a different sort of
> request.
> 
> >I would call that a bug (in the metadata schema). What do others think?
> 
> I think it's irrelevant, since it can't be fixed, but is fortunately an
> easily worked around problem.
> 
> -- Scott
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]