OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: SAML 2.0 Identity Provider Discover Profile

SAML 2.0 Identity Provider Discover Profile

Section 4.3 of [SAMLProf]

[lines 1063--1064]  Delete the phrase "when authentication of the
principal occurs" since the common domain writing service has no
knowledge of this event.  The service is simply carrying out the
wishes of the IdP.

[line 1066]  The phrases "no Path prefix" and "a Path prefix of "/""
refer to the most specific and most general paths, respectively.  Is
this intentional, and if so, why?

[lines 1066--1067]  The phrase "[common-domain]" is not well defined. 
Suppose the common domain is CommonDomain.com.  Then the Domain
attribute of the cookie should be set to ".CommonDomain.com".  RFC
2109 states that the Domain attribute "must always start with a dot." 
RFC 2965 (which obsoletes RFC 2109) states that if the Domain
attribute "does not start with a dot, the user agent supplies a
leading dot."  It is safest, however, to explicitly include the dot.

[line 1098]  The common domain server does not "set the cookie" on
behalf of the service provider.  Instead, it READS the cookie and
(presumably) returns the value in a query string parameter.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]