RE: [security-services] Groups -sstc-saml-profiles-2.0-draft-08-diff.pdf uploaded

[Scott Cantor <cantor.2@osu.edu>]

> 254 - SOAP Binding is omitted.

The Artifact Binding does not assume that the SOAP binding is used to
dereference the artifact, therefore neither does this profile. That's a
conformance question.

> 264 - also updates (or at least subsumes) artifact confirmation method

True.

> 324 - In both of sections 4.1.3.3 or 4.1.3.5, the possibility of the
> <AuthnRequest> and <Response> being passed through the artifact binding is
> presented but no mention is made of the subsequent dereferencing step.

I don't mind mentioning it in passing, but I was trying to keep this
sequence of steps constrained to the SSO message exchange.

> 333 - does the recommendation 'that the HTTP exchanges in this step be
> made over SSL or TLS' include both front and back-channel HTTP 
> interactions? Same for line 358.

Only the front-channel, needs clarification. The use of the artifact binding
brings along its own practices, of course.

> 346 - 'in the form of <RequestedAuthnContext> or <Scoping>'

Good catch, thanks.

> 456 - the URI for ecp doesn't include 'SSO', as does the browser profile,
> e.g. '...profiles:ecp' versus '...profiles:SSO:browser'

I think I probably made up the SSO URI, so I'm to blame for the
inconsistency.

-- Scott