[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: I suggest adding some text to request/response processing rules
I’ve been asked a number of times about how a SAML authority
should respond to a request/query message that, while being schema-valid,
violates normative processing rules because of some bad data. The spec
has not been explicit, but based on conversations and interops, my assumption
has always been that this is where the authority should reply with a Response
message that contains no assertions and holds a top-level Status value of urn:…:status:Requester. An example we’ve actually encountered is where a
requester specifies a timestamp value that doesn’t abide the rules re: UTC/Zulu
formats. I believe we should add some text to the processing rules
(section 3.3.4) that states that a SAML authority MUST respond as I described. Also, if a relying party receives a similar type of message,
it MUST reject the assertion. Do folks agree? Proposed text: At line 1819, insert: “If a SAML authority receives a request message that,
while being schema-valid, contains or is missing information that makes the
message invalid according to SAML processing rules, the <Response>
element returned by the authority MUST NOT contain an <Assertion> element
and MUST include a <StatusCode> element with the value
urn:oasis:names:tc:SAML:2.0:status:Requester. If a SAML relying party receives a message that, while being
schema-valid, contains or is missing information that makes it invalid
according to SAML processing rules, the SAML message MUST be rejected.” Rob Philpott |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]