OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: comments re sstc-saml-metadata-ui-v1.0-wd0

These comments pertain to SAML V2.0 Metadata Extensions for Login and
Discovery User Interface Version 1.0, Working Draft 09, 25 July 2011
(sstc-saml-metadata-ui-v1.0-wd0).

Section 2.4

Regarding the precedence rule in section 2.4.3 (<mdui:DisplayName> =>
<md:ServiceName> => entityID), what if there are multiple
<md:AttributeConsumingService> elements in SP metadata, that is,
multiple <md:ServiceName> elements? The extension spec doesn't address
this question.

I don't think the <mdui:DisplayName> element should override
*multiple* <md:ServiceName> elements since that would dilute the
effectiveness of multiple <md:AttributeConsumingService> elements. I
conclude, therefore, that the <mdui:DisplayName> element should not
override a single <md:ServiceName> element. A completely different
precedence rule is warranted.

Here's another way to look at it. Suppose you have a 100% standard
<md:EntityDescriptor> that describes a physical SP composed of several
logical SPs, each with its own <md:AttributeConsumingService> element.
At the IdP, the appropriate <md:ServiceName> is displayed to the user
based on the value of the AttributeConsumingServiceIndex XML attribute
on the <samlp:AuthnRequest> element.

Now add an <mdui:DisplayName> extension element to SP metadata. If the
IdP conforms to the extension spec, this breaks the UI at the IdP.
Instead of displaying a different name for each logical SP, the IdP
displays the same name for all. This is a bug.

I'm not sure what's the best way to fix this problem. Sure seems like
<md:ServiceName> should take precedence over <mdui:DisplayName>, not
vice versa. If so, what is the latter good for? As a name for the
physical SP, I suppose, but I'm not sure if that's useful in practice.

If I read the extension spec correctly, the precedence rule applied to
IdP metadata is simply <mdui:DisplayName> => entityID. This can't be
intended. We've been using <md:OrganizationDisplayName> on discovery
interfaces for years, but the latter doesn't even appear in the
precedence rule. If this is intended, then I must beg to differ. It
would seem that <mdui:DisplayName> in IdP metadata is of no use.

Section 3.1

Apparently, only a discovery service must conform to section 2.4.3.
That's seems odd. Shouldn't the conformance requirements on lines
390--391 and 392--393 be combined?

Tom Scavo

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]