[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL
> Just a final clarification, I think we should add some verbage > around the AssertionConsumerURL element along the lines of: > > The IdP MUST verify that the URL is within the control > of the provider for whom the Assertion is being > requested. This can take the form of requiring that > the provider sign the request, or some other means > outside the scope of this specification. I refer you to the current spec, line 1912: "AssertionConsumerServiceURL [Optional] Specifies by value the location to which the <Response> message MUST be returned to the request issuer. The responder MUST ensure by some means that the value specified is in fact associated with the request issuer. [SAMLMeta] provides one possible mechanism." The text just in front of that for the Index version is similar. We could easily add something about the signing option here, it's along the lines of the metadata comment anyway. The Recipient thing is in addition to this, not in place of it. I kept the Recipient idea (in modified form) because it was already in SAML and I was used to it. I studied the differences between the SAML and Liberty profiles at length when I first got involved in Liberty and because we were applying similar privacy controls to the SAML profiles. It was clearly necessary to add the mechanisms from ID-FF no matter what else was done. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]