[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] List of possible implementation features for SAML 2.0
Prateek, I've no strong feelings on the matter. Would be comfortable with either, just GET or just POST John PS perhaps I should have come to the F2F! > -----Original Message----- > From: Mishra, Prateek [mailto:email@example.com] > Sent: 01 July 2004 14:55 > To: Scott Cantor; 'John Hughes' > Cc: firstname.lastname@example.org > Subject: RE: [security-services] List of possible implementation > features for SAML 2.0 > > > John, this was discussed at the F2F and I am reasonably > comfortable with the > current state of the binding. I don't think it needs to be exposed at the > conformance level, it is not really a choice point for implementers (maybe > for deployers). > > I have been concerned about the issue of burying a number of > choices within > bindings and the implementation cost of the same. However, in this case, I > understand that the implementation cost is modest: you have a single > "artifact consumer" URL which either finds the artifact on the URL line or > in the POST body. Using POST for artifact delivery mitigates the > "referrer" > issue identified by Thomas Gross. > > In fact, here is a different position altogether: remove the GET part > completely and retain only the POST delivery method. This limits the > implementations to just one form and avoids the "referrer" issue. > > Comments? > > -----Original Message----- > From: Scott Cantor [mailto:email@example.com] > Sent: Wednesday, June 30, 2004 6:17 PM > To: 'John Hughes'; Mishra, Prateek > Cc: firstname.lastname@example.org > Subject: RE: [security-services] List of possible implementation features > for SAML 2.0 > > > this may add perhaps too much detail - but do you want to > capture the fact > > that the HTTP Artifact binding can use HTML forms or URL encoding to > > transport the artifact (albeit that conformant implementation for this > > binding MUST implement both) > > It was my hope we'd just bury that inside the binding and not have to call > it out in conformance. Given the choice between that and having to make > things even more complex there, I'd actually be in favor of just > backing off > to GET. > > I just think allowing POST is a good nod toward security without > costing us > much in complexity. > > -- Scott > > > > To unsubscribe from this mailing list (and be removed from the > roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave _workgroup.php.