OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Comments on profiles-2.0-cd-01

- Section - Line 547 states 'any such authentication statements MUST include a
SessionIndex attribute to enable per-session logout requests by the service provider.'
 a) refers to SessionIndex attribute rather than element
 b) Why not explicitly state that the authority MUST use unique values for subsequent values of <SessionIndex> to the same SP rather than express the requirement in a roundabout way
- Section - Line 1239 - Reference to Section should be to Section
- Section - we provide very little guidance on how the IDP should (or shouldn't) propogate error information from Session Participants to the original initiating SLO SP. Line 1242 states
'the identity provider MUST respond to the original request with a <LogoutResponse> containing
an appropriate status code to complete the SAML protocol exchange'
but what is an 'appropriate status code'? Is it 'Success' if the IDP received 'Success' from 2 of the 3 SP's it sent <LogoutRequest>s to? Is this 'implementation dependent'?
Given that more than one SP could return different second-level <StatusCode>s to the IDP, is there a need for 
a new generic code URI for the IDP to use in its response to the original SP, e.g.
The schema as is doesn't support the IDP sending them all on.
- Section 7.4.2 - Line 1585 - makes reference to Section 2.3.3 as the appropriate section
 for <EncryptedID> in [SAMLCore]. The actual relevant section number in Core is 2.2.3
Paul Madsen
e:  p.madsen@entrust.com
p:  613-270-2632
c:  613-799-2632

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]