OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: ECP-related errata


Ran across another possible errata:

 

In Conformance, Table 1’s ECP SSO row shows PAOS as the binding for ECP to SP, SP to ECP to IDP, IDP to ECP to SP, and SP to ECP communication.  This doesn’t seem correct to me according to the profile description.

  1. Initial ECP to SP communication accessing a resource is done over HTTP according to the PAOS binding (no SOAP envelope).
  2. SP to ECP transmission of an AuthnRequest is done using the PAOS binding with SOAP Header blocks for ECP Request, ECP RelayState (optional), and PAOS.
  3. ECP to IDP transfer of the AuthnRequest is done using a SOAP binding.
  4. IDP to ECP transmission of the SAML Response message is done using a SOAP binding with SOAP Header blocks for ECP Request and ECP RelayState (optional).
  5. ECP to SP transfer of the Response is done using PAOS with optional SOAP headers for PAOS Response and ECP RelayState.
  6. SP to ECP return of the requested resource is done with normal HTTP.

 

Thus, we need to rework the rows a bit to make them correct. Perhaps identifying the protocol messages as in browser web SSO?

 

Row 1: HTTP Request from ECP to SP: Binding=PAOS

Row 2: <AuthnRequest> from SP to ECP, <Response> from ECP to SP: Binding=PAOS

Row 3: <AuthnRequest> from ECP to IDP, <Response> from IDP to ECP, Binding=SOAP

 

I guess Rows 1 and 2 could be combined, since they’re both PAOS bindings.  However, the first uses no SOAP envelope/header blocks; just HTTP header fields. Row 2 uses a SOAP envelope with SOAP header blocks. I just couldn’t come up with a useful way to indicate this with columns labeled “Message Flows” and “Binding”.

Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
Email:
rphilpott@rsasecurity.com
I-name:  =Rob.Philpott

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]