In the SAML Bindings and Profiles
description of the Browser/Artifact Profile, it is stated in lines 467-470 and
491-494 that: "A single target description MUST be included in the
<SAML searchpart>
component. At least one SAML
artifact MUST be included in the <SAML
searchpart> component; multiple SAML artifacts
MAY be included. If more than one artifact is carried within
<SAML
searchpart>, all the artifacts MUST have the
same SourceID."
This description was carried
forward into Liberty as
well.
The question that folks have asked
me is "what is the use case/need that would result in multiple artifacts being
generated?". Does anyone know of any products that will actually produce
a BAP redirect with multiple SAMLart parameters?
------------------------------------------------------------------------------------------------------------------------------------------
<PRATEEK>
Rob, the model here is that one or more
artifacts will be returned as part of the searchpart. And that SAML
consumers should be able to pull multiple assertions if needed. The use-case
which drove this example was one where the source site generated a single
short-leved assertion with an authentication statement (SSO
assertion) but also sent a long-lived assertion carrying attributes.
Do you think the single/multiple assertion
distinction should be captured in meta-data?
</PRATEEK>
-------------------------------------------------
Also, the use of the "MAY" here
isn't quite clear to me. Does it mean that vendors MAY choose to support
multiple artifacts but MAY also just support a single artifact - i.e. the
implementation never sends more than one and it can reject the request where
more than one exists? Or since it says that multiple artifacts MAY be
included, does it infer that a conforming implementation must be able to
handle all of them?
Thanks!
Rob
Philpott
RSA
Security Inc.
The Most
Trusted Name in e-Security
Tel:
781-515-7115
Mobile:
617-510-0893
Fax:
781-515-7020
mailto:rphilpott@rsasecurity.com