[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: comments re sstc-saml-metadata-ui-v1.0-wd0
These comments pertain to SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0, Working Draft 09, 25 July 2011 (sstc-saml-metadata-ui-v1.0-wd0). Section 2.4 Regarding the precedence rule in section 2.4.3 (<mdui:DisplayName> => <md:ServiceName> => entityID), what if there are multiple <md:AttributeConsumingService> elements in SP metadata, that is, multiple <md:ServiceName> elements? The extension spec doesn't address this question. I don't think the <mdui:DisplayName> element should override *multiple* <md:ServiceName> elements since that would dilute the effectiveness of multiple <md:AttributeConsumingService> elements. I conclude, therefore, that the <mdui:DisplayName> element should not override a single <md:ServiceName> element. A completely different precedence rule is warranted. Here's another way to look at it. Suppose you have a 100% standard <md:EntityDescriptor> that describes a physical SP composed of several logical SPs, each with its own <md:AttributeConsumingService> element. At the IdP, the appropriate <md:ServiceName> is displayed to the user based on the value of the AttributeConsumingServiceIndex XML attribute on the <samlp:AuthnRequest> element. Now add an <mdui:DisplayName> extension element to SP metadata. If the IdP conforms to the extension spec, this breaks the UI at the IdP. Instead of displaying a different name for each logical SP, the IdP displays the same name for all. This is a bug. I'm not sure what's the best way to fix this problem. Sure seems like <md:ServiceName> should take precedence over <mdui:DisplayName>, not vice versa. If so, what is the latter good for? As a name for the physical SP, I suppose, but I'm not sure if that's useful in practice. If I read the extension spec correctly, the precedence rule applied to IdP metadata is simply <mdui:DisplayName> => entityID. This can't be intended. We've been using <md:OrganizationDisplayName> on discovery interfaces for years, but the latter doesn't even appear in the precedence rule. If this is intended, then I must beg to differ. It would seem that <mdui:DisplayName> in IdP metadata is of no use. Section 3.1 Apparently, only a discovery service must conform to section 2.4.3. That's seems odd. Shouldn't the conformance requirements on lines 390--391 and 392--393 be combined? Tom Scavo
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]