OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] proposed change to POST profile: send Responseinstead of Assertion

> > If everyone else is convinced, I guess I am.  *If* everyone else 
> > convinced?  Could an HTTP binding be made dead-simple enough to 
> > "happen" to carry a SAML request or response?  If so, why didn't we 
> > include it in SAML 1.0?

I strongly favored HTTP (the SOAP layer, which is soon to be a legacy
version of SOAP, adds work for implementers and clear overhead at
runtime with no benefits that I'm seeing), but I also agree with having
one mandatory well-defined binding rather than two, so there wasn't any
point in pushing its inclusion.

But the POST profile (even this proposed version of it) really isn't an
HTTP binding, though I guess it has some similarities. For one thing, it
puts a SAML Response in the HTTP request, which is backward from the
HTTP binding. It's also a multi-hop profile with the browser in the
middle, so you have to worry about MITM and such.

The real way to think about the proposed change is as a schema cleanup
suggestion that gets a confusing element out of Assertion and aligns the
POST profile better with the other one.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC