[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] "Final" PE text for SSO profile
> In 3.4.1.4 there's text that says, "The resulting assertion(s) MUST > contain a <saml:AudienceRestriction> element referencing the requester > as an acceptable relying party. Other audiences MAY be included as > deemed appropriate by the identity provider." Yes, but that text is intended to apply only in the case that there is an absence of content in the AuthnRequest and a profile doesn't provide any guidance. There's a wording problem in that section because it starts off saying "the following is invariant across all profiles of this protocol", but then concludes with some things that are really more "defaults". > I know you've been trying not to be redundant in profiles so it seems > like (because of the above) we could drop the text in your proposal > below that says, "Each bearer assertion MUST contain an <AudienceRestriction> > including the service provider's unique identifier as an <Audience>." I think it's best to be explicit on this so nobody gets confused and thinks that you can supply Conditions in the AuthnRequest that would prevent the IdP from inserting that condition. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]