[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] Status Code proposal
Saml error discussion follow-up.
From my point of view it is better to define saml error structure that is independent of any bound protocol. Any error condition that is raised before
control is passed to saml assertion processor should be reported in the context
of the bound protocol. Any error condition that is raised by the saml processor
should be reported withing saml error framework (possibly as a child of saml:Response element).
If we take soap on top of http binding as an example, http authentication failure,
incorrect content-length are examples of errors from the lower protocol layer
(http). The second type of errors should be reported by the soap layer: request
method other than post, incorrect soap namespace, incorrect saml namespace,
misunderstood soap headers - all of these should be returned within
Then we get to saml errors - those could be broken down in syntax errors and semantic errors.
Syntax errors: assertion is not conforming to schema. Semantic errors: signature
does not validate, assertion attachment can not be verified, subject can not be
From: Scott Cantor [mailto:firstname.lastname@example.org]
Sent: Monday, October 29, 2001 10:22 AM
Subject: [security-services] Status Code proposal
I offered to propose a revamp/expansion of the existing StatusCodeType in
protocol-19 to try and get a discussion started that hopefully can be
finished by others at the FtF.
Reviewing the existing schema:
<enumeration value="Success" />
<enumeration value="Failure" />
<enumeration value="Error" />
<enumeration value="Unknown" />
Core-19, in the section on versioning already defines new error codes that
aren't listed here, so presumably we can assume there's already a need to
extend this. Applications are likely to want to define their own codes in
addition to those SAML defines.
I propose defining several "levels" of detail for use by both SAML
components and applications built on top of them. This is more or less
patterned after SOAP. First the proposal:
<element name="StatusInfo" type="samlp:StatusInfoType"/>
<any namespace="##any" processContents="lax" minOccurs="0"
<attribute name="Status" type="samlp:StatusCodeType"/>
<attribute name="SpecificStatus" type="QName"/>
<attribute name="Message" type="string"/>
This builds on the current attribute and changes it to a StatusInfo element
that contains the existing high-level status, but adds three additional
"channels". The SpecificStatus is a QName, so it's namespace qualified,
providing the ability for SAML to define its own specific codes (like the
ones in core-19) and for layered applications to define their own codes
The Message seems like a good thing to have, for basic "readable" error
messages (might need some additional stuff for proper I18N)
Finally, the StatusInfo element can contain aritrary XML for passing
structured error information if both sides understand what to expect, based
on the SpecificStatus, probably.
I think this is pretty clean, but error handling is a can of worms, so I'm
sure opinions differ. Have at it.
Office of Info Tech
The Ohio State Univ
To subscribe or unsubscribe from this elist use the subscription
Powered by eList eXpress LLC