[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] ECP SSO Profile and Metadata
> So, to resurect an earlier discussion: > > > But sure, as a guideline, clearly any request ought to really carry > > *something*. Leaving it out entirely usally seems like a bad idea. > > Might it not be useful to require the ACSURL+binding/ACSIndex in > the <AuthnRequest> when via ECP? (And not changing the paos:Request > semantics.) I don't really understand the point. Why not require it any time? What's special about this profile? We didn't require it because there's a defaulting mechanism, but defaulting only works for one binding in a given deployment, obviously. It's not a change to say that the profile, in terms of metadata, presumes that the Binding in the SP is urn...PAOS. It was simply left out, there was no metadata section in the profile included like there should have been. Heck, we say when you write a new profile, include metadata considerations! We didn't follow the rules. I could just as easily be doing HTTP-* and not find a default ACS with a compatible HTTP binding. Same problem. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]