[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] ECP SSO Profile and Metadata
> Sure, and in my original message I think I mentioned that the SP would > either specify a PAOS AssertionConsumerService endpoint or specify PAOS > in ProtocolBinding. What I think we should advise against, in the ECP > case, is leaving the response binding completely unspecified, since > then there is the potential for ambiguity at the IdP SOAP > SingleSignOnService (if we define some other profile that > uses SOAP at the IdP in the future). Definitely, but I don't think it's possible to leave it completely unspecified, short of there being no default endpoint in the metadata, which is more or less impossible. The worst case scenario is you do SOAP in, and the default endpoint is something incompatible with that (HTTP based), although even that's sort of a matter of opinion. A client could theoretically bang SOAP in, and get back a redirect or form with the response. ;-) But sure, as a guideline, clearly any request ought to really carry *something*. Leaving it out entirely usally seems like a bad idea. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]