[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] ECP and PAOS
> In liberty PAOS spec, the examples (at the end of section 8) > imply that Correlation Header (from liberty soap binding spec) > to be included as a SOAP header (in addition to PAOS request > header) in both PAOS request and response messages. I didn't recall any dependency in PAOS on that SOAP binding spec, but PAOS is the authority on this part, not SAML. It's just a call out to whatever it says to do. > In SAML2 profile spec ECP-related sections 4.2.4.3 and > 4.2.4.5, the examples do not include the Correlation header. If PAOS requires it, then this should be SAML errata, but always take examples with serious salt, they aren't normative. > So the question is if I'm implementing ECP, SP and IDP support > for ECP, do I include this correlation header or not ? I'll let the PAOS experts answer that. > One aditional question, in SAML2 binding doc, section 3.3, > which talks about PAOS Binding also, there is a urn defined: > urn:oasis:names:tc:SAML:2.0:bindings:PAOS This is the binding URI for the SAML binding. It's required that all SAML bindings have one. > I don't see the use of it since the ECP examples in SAML2 > profile spec uses liberty urn: > urn:liberty:paos:2003-08 > > Shouldn't we have just one of these two (maybe keeping the > liberty one) ? No. The Liberty URN is a PAOS specified thing used in the HTTP header. The SAML binding URI is metadata about the spec, it's not a wire protocol value. As an analogy, you don't put the SAML SOAP binding URI anywhere in the SOAP messages you send either. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]