OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: An ambiguity in 1.1 that we should clarify in SAML 2.0 re: artifact processing

The following issue came up when dealing with some conformance test cases for SAML 1.1.  I provided my opinion in a response.  We should decide how to modify the text to clarify the expected behavior.





TC #39 – When a request to dereference is sent with over a connection authenticated by Partner A, but with an artifact the TA had sent to Partner B, the response should be a status code of “Success” and no assertions.  When a request is next made over a channel authenticated by Partner B using an artifact sent to Partner B, how should the TA respond?  Should it return the assertions, or an error code?

[RSP] Hmmm – This isn’t defined in the spec.  Technically, you could treat them independently and return an assertion to B.  But the paranoid in me says the AP should audit the first event (artifact didn’t come from the right site), and declare the one-time use of the artifact to be met, discard it, and return no assertion when it comes from the expected site.  That would hopefully alert folks at all 3 sites that there is a problem that needs to be investigated.  At least that’s how I’d build a “secure” product.


We should probably have the TC decide on the correct response, document it in a V1.1 corrigendum, and address it in V2.0 as well.



Rob Philpott
Senior Consulting Engineer 
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]