OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: [security-services] RE: [saml-dev] ? re: multiple artifacts in asingle BAP exchange


In the SAML Bindings and Profiles description of the Browser/Artifact Profile, it is stated in lines 467-470 and 491-494 that: "A single target description MUST be included in the <SAML searchpart> component. At least one SAML artifact MUST be included in the <SAML searchpart> component; multiple SAML artifacts MAY be included. If more than one artifact is carried within <SAML searchpart>, all the artifacts MUST have the same SourceID."


This description was carried forward into Liberty as well.


The question that folks have asked me is "what is the use case/need that would result in multiple artifacts being generated?".  Does anyone know of any products that will actually produce a BAP redirect with multiple SAMLart parameters?




Rob, the model here is that one or more artifacts will be returned as part of the searchpart. And that SAML consumers should be able to pull multiple assertions if needed. The use-case which drove this example was one where the source site generated a single short-leved assertion with an authentication statement (SSO assertion) but also sent a long-lived assertion carrying attributes.


Do you think the single/multiple assertion distinction should be captured in meta-data?




Also, the use of the "MAY" here isn't quite clear to me.  Does it mean that vendors MAY choose to support multiple artifacts but MAY also just support a single artifact - i.e. the implementation never sends more than one and it can reject the request where more than one exists?  Or since it says that multiple artifacts MAY be included, does it infer that a conforming implementation must be able to handle all of them?



Rob Philpott
RSA Security Inc.
The Most Trusted Name in e-Security
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC