[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: I suggest adding some text to request/response processing rules
I’ve been asked a number of times about how a SAML authority should respond to a request/query message that, while being schema-valid, violates normative processing rules because of some bad data. The spec has not been explicit, but based on conversations and interops, my assumption has always been that this is where the authority should reply with a Response message that contains no assertions and holds a top-level Status value of urn:…:status:Requester.
An example we’ve actually encountered is where a requester specifies a timestamp value that doesn’t abide the rules re: UTC/Zulu formats.
I believe we should add some text to the processing rules (section 3.3.4) that states that a SAML authority MUST respond as I described.
Also, if a relying party receives a similar type of message, it MUST reject the assertion.
Do folks agree?
At line 1819, insert:
“If a SAML authority receives a request message that, while being schema-valid, contains or is missing information that makes the message invalid according to SAML processing rules, the <Response> element returned by the authority MUST NOT contain an <Assertion> element and MUST include a <StatusCode> element with the value urn:oasis:names:tc:SAML:2.0:status:Requester.
If a SAML relying party receives a message that, while being schema-valid, contains or is missing information that makes it invalid according to SAML processing rules, the SAML message MUST be rejected.”