[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: Tighten up some use cases
Good catch. So let's just sign the assertion(s). If someone wants to additionally sign the Response that's up to them (but irrelevant in terms of the use cases).
Tom.
-----Original Message-----
From: Laferriere, Leo [mailto:Leo.Leferriere@ca.com]
Sent: Wednesday, January 26, 2005 1:45 PM
To: Adam Dong; Thomas Wisniewski
Cc: samldemotech
Subject: RE: Tighten up some use cases
I beleive [SAMLPROF] section 4.1.4.5 states "If the HTTP POST binding is
used to deliver the <Response>, the enclosed assertion(s) MUST be
signed."
Since we are using the POST binding I would recommend signing just the
assertion and adhering to the spec.
Leo Laferriere
-----Original Message-----
From: Adam Dong [mailto:adam.dong@Sun.COM]
Sent: Wednesday, January 26, 2005 1:09 PM
To: Thomas Wisniewski
Cc: samldemotech
Subject: Re: Tighten up some use cases
Thomas Wisniewski wrote:
> All, here are some additional assumptions we should consider:
>
> - Each SP should support/define only a single assertion consumer
> endpoint. I would recommend that index 0 be used for that endpoint.
> This implies that if an AuthnRequest asks for a specific endpoint, it
> will be the 0-indexed endpoint.
>
Agree, each SP's metadata file just includes a single assertion
consumer service
with the binding being HTTP-POST and the index being 0.
> - For a Response, we should decide on whether we are signing the
> Response or the Assertion (i.e., only use one approach).
>
Lets just sign the Response, i.e., the root element.
> Tom.
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]