OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] ISSUE: protocol for artifact- and ID-based queries

What is the right answer to these questions?

>In the doc: draft-sstc-bindings-model-11, Page 16, Line  507-510 says :
>"In the case where the source site returns assertions within
><samlp:Response>, it MUST return  exactly one assertion for each SAML 
>artifact found in the corresponding <samlp:Request>  element. The case 
>where fewer or greater number of assertions is returned within 
>the  <samlp:Response> element MUST be treated as an error state by the 
>destination site. "
>Line 523 says:
>"At least one of the SAML assertions returned to the destination site
>MUST be an SSO assertion. "
>My question is that "exactly one assertion" means one SSO assertion or
>any kind of assertion.  For example, if I send a <samlp:request> contains 
>one SAML artifact, and receive a <samlp:response> which contains exactly 
>ONE  valid SSO assertion corresponding to the artifact. But I also receive 
>additional assertions which are not SSO assertion. Should I consider such 
>response to be invalid?
>The same case for request/response corresponding AssertionID. Can the
>response send additional assertions plus the corresponding assertion to the

Eve Maler                                    +1 781 442 3190
Sun Microsystems XML Technology Center   eve.maler @ sun.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC