OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] ISSUE: protocol for artifact- and ID-base dqueries

>>>In the doc: draft-sstc-bindings-model-11, Page 16, Line  
>>507-510 says :
>>>"In the case where the source site returns assertions within
>>><samlp:Response>, it MUST return  exactly one assertion for 
>>each SAML 
>>>artifact found in the corresponding <samlp:Request>  
>>element. The case 
>>>where fewer or greater number of assertions is returned within 
>>>the  <samlp:Response> element MUST be treated as an error 
>>state by the 
>>>destination site. "
>>>Line 523 says:
>>>"At least one of the SAML assertions returned to the destination site
>>>MUST be an SSO assertion. "
>>>My question is that "exactly one assertion" means one SSO 
>>assertion or
>>>any kind of assertion.  For example, if I send a 
>><samlp:request> contains 
>>>one SAML artifact, and receive a <samlp:response> which 
>>contains exactly 
>>>ONE  valid SSO assertion corresponding to the artifact. But 
>>I also receive 
>>>additional assertions which are not SSO assertion. Should I 
>>consider such 
>>>response to be invalid?

Our model here has the following logic: for every artifact received
on the URL line, one assertion must be returned from the source
site (one assertion, one artifact
principle). SOme of the returned assertions may be SSO assertions,
but some may not.
If there are too few or too many assertions, we have an error.

Once all of the assertions have been collected at the destination site,
at least one must be a SSO assertion.

Hope this is clear enough. We could debate whether we need quite so 
restrictive a set of conditions, but at least the constraints are
pretty concrete.

- prateek mishra

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC