OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] SAML User-Friendly? (bindings-6)

bindings model 6, line 534:

  "If the user is refused access to the desired  resource, the
  destination site MUST return a HTTP "403 Forbidden"
  error code to the browser (step (6)). "

What you return to a user (unlike a machine) is wrong to specify as a MUST.
It is in most cases more appropriate to return HTTP 200 OK and display
a message that says something useful like "You are not authorized to access
this resource, please contact your local business administrator"  Or
"Your organization is unknown, get lost!" depending on what the reason
for the rejection really is.  Hopefully in a localized language as well.
SAML does not support user-language I guess?

But that is just a breeze compared to the following:

If the target URL is wrong or the target server does not
respond, the *user* if left with the misery  and without the
source site [the user's administrator] knowing it.  That makes
SAML only suitable for closed scenarios.  Note: Shib does
AFAIK not have this problem, only plain-vanilla SAML
based on bindings-06.

In OBI Express (tm), which will be the worlds first plug-and-play
e-commerce standard, we augmented SAML (some sort of) with
"WebServices" and got a much, much better system with respect
to robustness, user-friendliness, and administration.  Due to the
extension mechanisms in SAML I think we will still be able to
call us SAML-compliant!

Anders Rundgren

Trademarks: OBI is a trademark of CommerceNet

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC