[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services-comment] SAML 2.0 Identity Provider Discover Profile
Thanks, comments inline: > Section 4.3 of [SAMLProf] > > [lines 1063--1064] Delete the phrase "when authentication of the > principal occurs" since the common domain writing service has no > knowledge of this event. The service is simply carrying out the > wishes of the IdP. Noted. > [line 1066] The phrases "no Path prefix" and "a Path prefix of "/"" > refer to the most specific and most general paths, respectively. Is > this intentional, and if so, why? I think this was a Liberty error, thinking that omitting the path would be equivalent to "/", which is incorrect. I will check next call, but have tentatively changed this. > [lines 1066--1067] The phrase "[common-domain]" is not well defined. > Suppose the common domain is CommonDomain.com. Then the Domain > attribute of the cookie should be set to ".CommonDomain.com". RFC > 2109 states that the Domain attribute "must always start with a dot." > RFC 2965 (which obsoletes RFC 2109) states that if the Domain > attribute "does not start with a dot, the user agent supplies a > leading dot." It is safest, however, to explicitly include the dot. Have added a SHOULD to include a leading period. The RFCs seem to be in practice meaningless, but a period does no harm. > [line 1098] The common domain server does not "set the cookie" on > behalf of the service provider. Instead, it READS the cookie and > (presumably) returns the value in a query string parameter. Already noted and fixed. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]