Subject: RE: [security-services] comments on sstc-saml-profiles-2.0-draft-12
I have a follow on question - just to help my understanding - although it may be useful to place the answer somewhere in the SAML doc set (if not already there).... In the Web Browser profiles we have (at some point) the subject authenticating to the Identity Provider - so that a security context is established. Yet in ECP that step is not described. What is the trust relationship so that the IdP sends the "correct" <Response> to the SP. Does this rely on the <AuthnRequest> being signed. If so - why is this not a MUST? John > -----Original Message----- > From: John Hughes [mailto:email@example.com] > Sent: 07 July 2004 11:32 > To: Security-Services > Subject: [security-services] comments on sstc-saml-profiles-2.0-draft-12 > > > Comments on the ECP section: > > > - Naive question and observation - but why haven't we brought the actual > PAOS spec under SAML. Just seems odd that part of SAML 2.0 specs > refer out > to liberty (whereas everything else has been folded into SAML 2.0) > > - 4.2.3 line 582. URNs should be double quoted - rather than single > > - 4.2.4 line 600. "SOAP request" -> "<AuthnRequest>" ?? > > - 184.108.40.206 should the optional <S:Header> .. </S:Header> be shown. The > example in the SOAP binding does not include this. > > - 220.127.116.11 line 623 "bythe" -> "by the" > > - 4.2.6. line 767. Not clear why need reference to 18.104.22.168. Processing > rules for POST > > > > John > > > > To unsubscribe from this mailing list (and be removed from the > roster of the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/security-services/mem bers/leave_workgroup.php.