OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP and PAOS

> In liberty PAOS spec, the examples (at the end of section 8)
> imply that Correlation Header (from liberty soap binding spec)
> to be included as a SOAP header (in addition to PAOS request
> header) in both PAOS request and response messages.

I didn't recall any dependency in PAOS on that SOAP binding spec, but PAOS
is the authority on this part, not SAML. It's just a call out to whatever it
says to do.

> In SAML2 profile spec ECP-related sections and
>, the examples do not include the Correlation header.

If PAOS requires it, then this should be SAML errata, but always take
examples with serious salt, they aren't normative.

> So the question is if I'm implementing ECP, SP and IDP support
> for ECP, do I include this correlation header or not ?

I'll let the PAOS experts answer that.

> One aditional question, in SAML2 binding doc, section 3.3,
> which talks about PAOS Binding also, there is a urn defined:
>     urn:oasis:names:tc:SAML:2.0:bindings:PAOS

This is the binding URI for the SAML binding. It's required that all SAML
bindings have one.

> I don't see the use of it since the ECP examples in SAML2
> profile spec uses liberty urn:
>     urn:liberty:paos:2003-08
> Shouldn't we have just one of these two (maybe keeping the
> liberty one) ?

No. The Liberty URN is a PAOS specified thing used in the HTTP header. The
SAML binding URI is metadata about the spec, it's not a wire protocol value.

As an analogy, you don't put the SAML SOAP binding URI anywhere in the SOAP
messages you send either.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]