[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: I changed my mind about eliminating the Web browser "Post" profil e
Hal,
I'm pleased to see that you changed your mind
regarding the
POST profile as it can eliminate the need for
additional
server-state that Artifacts introduce. I
still think that
the bindings group should take a look on the issues
raised in:
The earlier mentioned
"JavaScript security issue" can be made much less
of a choice by actually letting the user's browser
do the "decision".
If JavaScript-based solutions must be as
appendices, the following
code belongs there:
<HTML>
<BODY BGCOLOR="#FFFFFF" > <FORM METHOD="POST" ACTION="Destination-URL"> <NOSCRIPT> <CENTER><H2>Your browser is JavaScript-disabled!</H2> <H3>Click on the button below to manually continue the login</H3> <INPUT TYPE="SUBMIT" VALUE="Continue"></CENTER> </NOSCRIPT> <INPUT TYPE="HIDDEN" NAME="SAMLAssertion" VALUE="Assertion in Base64-coding"> </FORM> </BODY> </HTML> Only to please (?) you we have added this fallback
code to our SAML-inspired
Purple demo so you can try with or without
JavaScript enabled in your browser.
Note: Don't try to run the "seller" app as it does not perform as expected without JavaScript. Only authentication
works.
My referred-to document has been updated
accordingly:
Regards
Anders ----- Original Message -----
From: "Hal Lockhart" <hal.lockhart@entegrity.com>
Sent: Friday, August 31, 2001 16:41
Subject: I changed my mind about eliminating the
Web browser "Post" profil e Profile. My reason was a hope we could avoid "Bearer" Assertions entirely. I have been convinced that Bearer Assertions will be required. I can live this providing: 1. They are clearly labled as such. (The current spec is almost there.) 2. They are only used in profiles where absolutely necessary. 3. Appropriate analysis is provided in Security Considerations. As a consequence, I now agree with Prateek that we should continue to develop both the "artifact" and the "Form Post" variants of the Browser profile. The issue of which one or both is mandatory to implement can be discussed later. Hal ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl> |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC