OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

> Just a final clarification, I think we should add some verbage
> around the AssertionConsumerURL element along the lines of:
>     The IdP MUST verify that the URL is within the control
>     of the provider for whom the Assertion is being
>     requested.  This can take the form of requiring that
>     the provider sign the request, or some other means
>     outside the scope of this specification.

I refer you to the current spec, line 1912:

"AssertionConsumerServiceURL [Optional]

Specifies by value the location to which the <Response> message MUST be
returned to the request issuer. The responder MUST ensure by some means that
the value specified is in fact associated with the request issuer.
[SAMLMeta] provides one possible mechanism."

The text just in front of that for the Index version is similar.

We could easily add something about the signing option here, it's along the
lines of the metadata comment anyway.

The Recipient thing is in addition to this, not in place of it. I kept the
Recipient idea (in modified form) because it was already in SAML and I was
used to it.

I studied the differences between the SAML and Liberty profiles at length
when I first got involved in Liberty and because we were applying similar
privacy controls to the SAML profiles. It was clearly necessary to add the
mechanisms from ID-FF no matter what else was done.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]