OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP SSO Profile and Metadata

> Sure, and in my original message I think I mentioned that the SP would 
> either specify a PAOS AssertionConsumerService endpoint or specify PAOS 
> in ProtocolBinding. What I think we should advise against, in the ECP 
> case, is leaving the response binding completely unspecified, since 
> then there is the potential for ambiguity at the IdP SOAP 
> SingleSignOnService (if we define some other profile that 
> uses SOAP at the IdP in the future).

Definitely, but I don't think it's possible to leave it completely
unspecified, short of there being no default endpoint in the metadata, which
is more or less impossible.

The worst case scenario is you do SOAP in, and the default endpoint is
something incompatible with that (HTTP based), although even that's sort of
a matter of opinion. A client could theoretically bang SOAP in, and get back
a redirect or form with the response. ;-)

But sure, as a guideline, clearly any request ought to really carry
*something*. Leaving it out entirely usally seems like a bad idea.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]