[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] ? re: multiple artifacts in a single BAP exchange
I've been asked about this a couple of times - once by a SAML developer and once by a Liberty architect...
In the SAML Bindings and Profiles description of the Browser/Artifact Profile, it is stated in lines 467-470 and 491-494 that: "A single target description MUST be included in the <SAML searchpart> component. At least one SAML artifact MUST be included in the <SAML searchpart> component; multiple SAML artifacts MAY be included. If more than one artifact is carried within <SAML searchpart>, all the artifacts MUST have the same SourceID."
This description was carried forward into Liberty as well.
The question that folks have asked me is "what is the use case/need that would result in multiple artifacts being generated?". Does anyone know of any products that will actually produce a BAP redirect with multiple SAMLart parameters?
Also, the use of the "MAY" here isn't quite clear to me. Does it mean that vendors MAY choose to support multiple artifacts but MAY also just support a single artifact - i.e. the implementation never sends more than one and it can reject the request where more than one exists? Or since it says that multiple artifacts MAY be included, does it infer that a conforming implementation must be able to handle all of them?
Powered by eList eXpress LLC