OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] ECP SSO Profile and Metadata

> So, to resurect an earlier discussion:
> > But sure, as a guideline, clearly any request ought to really carry
> > *something*. Leaving it out entirely usally seems like a bad idea.
> Might it not be useful to require the ACSURL+binding/ACSIndex in
> the <AuthnRequest> when via ECP? (And not changing the paos:Request
> semantics.)

I don't really understand the point. Why not require it any time? What's
special about this profile? We didn't require it because there's a
defaulting mechanism, but defaulting only works for one binding in a given
deployment, obviously.

It's not a change to say that the profile, in terms of metadata, presumes
that the Binding in the SP is urn...PAOS. It was simply left out, there was
no metadata section in the profile included like there should have been.
Heck, we say when you write a new profile, include metadata considerations!
We didn't follow the rules.

I could just as easily be doing HTTP-* and not find a default ACS with a
compatible HTTP binding. Same problem.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]