OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] I suggest adding some text to request/response processing rules

> I believe we should add some text to the processing rules 
> (section 3.3.4) that states that a SAML authority MUST 
> respond as I described.
> Also, if a relying party receives a similar type of message, 
> it MUST reject the assertion.

The distinction I was making, that I think Irving was ok with, was that as a
SAML responder, I should be allowed to either:

- Be strict and reject anything fishy, in which case I MUST return an error

- Be liberal and guess at the intent (clearly reasonable in some cases and
not in others). But if I do, and I consider the intent to be valid, then I
should follow whatever rules come up for a valid message, which still might
mean I return an error, if something else goes wrong.

The main thing is to make sure that regardless, if I decide the message is
invalid, I MUST return an error and I CANNOT return Success.

> Proposed text:

How about:

"If a SAML responder deems the message to be invalid according to SAML
processing rules, then if it responds, it MUST return a SAML response with a
<StatusCode> element with the value

The distinction being that it leaves it up to the responder to decide
whether the message is valid.

I think another important thing is that no protocol should make it
impossible for a responder to return an error in such a case. I hope that
that isn't the problem. ;-)

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]