[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [security-services] proposed change to POST profile: send Responseinstead of Assertion
> > If everyone else is convinced, I guess I am. *If* everyone else > > convinced? Could an HTTP binding be made dead-simple enough to > > "happen" to carry a SAML request or response? If so, why didn't we > > include it in SAML 1.0? I strongly favored HTTP (the SOAP layer, which is soon to be a legacy version of SOAP, adds work for implementers and clear overhead at runtime with no benefits that I'm seeing), but I also agree with having one mandatory well-defined binding rather than two, so there wasn't any point in pushing its inclusion. But the POST profile (even this proposed version of it) really isn't an HTTP binding, though I guess it has some similarities. For one thing, it puts a SAML Response in the HTTP request, which is backward from the HTTP binding. It's also a multi-hop profile with the browser in the middle, so you have to worry about MITM and such. The real way to think about the proposed change is as a schema cleanup suggestion that gets a confusing element out of Assertion and aligns the POST profile better with the other one. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC