OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: comments re sstc-saml-metadata-ui-v1.0-wd0

These comments pertain to SAML V2.0 Metadata Extensions for Login and
Discovery User Interface Version 1.0, Working Draft 09, 25 July 2011

Section 2.4

Regarding the precedence rule in section 2.4.3 (<mdui:DisplayName> =>
<md:ServiceName> => entityID), what if there are multiple
<md:AttributeConsumingService> elements in SP metadata, that is,
multiple <md:ServiceName> elements? The extension spec doesn't address
this question.

I don't think the <mdui:DisplayName> element should override
*multiple* <md:ServiceName> elements since that would dilute the
effectiveness of multiple <md:AttributeConsumingService> elements. I
conclude, therefore, that the <mdui:DisplayName> element should not
override a single <md:ServiceName> element. A completely different
precedence rule is warranted.

Here's another way to look at it. Suppose you have a 100% standard
<md:EntityDescriptor> that describes a physical SP composed of several
logical SPs, each with its own <md:AttributeConsumingService> element.
At the IdP, the appropriate <md:ServiceName> is displayed to the user
based on the value of the AttributeConsumingServiceIndex XML attribute
on the <samlp:AuthnRequest> element.

Now add an <mdui:DisplayName> extension element to SP metadata. If the
IdP conforms to the extension spec, this breaks the UI at the IdP.
Instead of displaying a different name for each logical SP, the IdP
displays the same name for all. This is a bug.

I'm not sure what's the best way to fix this problem. Sure seems like
<md:ServiceName> should take precedence over <mdui:DisplayName>, not
vice versa. If so, what is the latter good for? As a name for the
physical SP, I suppose, but I'm not sure if that's useful in practice.

If I read the extension spec correctly, the precedence rule applied to
IdP metadata is simply <mdui:DisplayName> => entityID. This can't be
intended. We've been using <md:OrganizationDisplayName> on discovery
interfaces for years, but the latter doesn't even appear in the
precedence rule. If this is intended, then I must beg to differ. It
would seem that <mdui:DisplayName> in IdP metadata is of no use.

Section 3.1

Apparently, only a discovery service must conform to section 2.4.3.
That's seems odd. Shouldn't the conformance requirements on lines
390--391 and 392--393 be combined?

Tom Scavo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]