[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: profiles potential errata?
Well, I have some additional ECP Profile
comments/questions… Profiles lines 904-908 describe the
ResponseConsumerURL in the PAOS Request Header Block of the message from the SP
to the ECP. The description is: Specifies where the ECP is to send an error response. Also used to
verify the correctness of the identity provider's response, by cross checking
this location against the AssertionServiceConsumerURL in the ECP response
header block. This value MUST be the same as the AssertionServiceConsumerURL
(or the URL referenced in metadata) conveyed in the <AuthnRequest>. This description is confusing in that it sounds like it
could be two different values; an error response location or an
AssertionConsumerServiceURL. This is clearly not what was meant. Or am I
missing something? First, isn’t it simply where the ECP should send the “response”,
not an “error response”? Isn’t it always just the SP’s
AssertionConsumerServiceURL? Next, I suggest dropping the 2nd sentence about
it being verified against the ECP Response block. Yes, that check has to
be done, but not in this step; it is done when the ECP Response Block is sent
from the IDP to the ECP and I find it confusing the way it is discussed here. The
verification check is already described in the latter section (lines 1015-1018).
I suggest changing the last sentence a bit as well. Here’s possible
suggested text: Specifies the URL for the assertion consumer service where the ECP is
to send a response back to the SP. If the <AuthnRequest> from the SP includes
an AssertionConsumerServiceURL or AssertionConsumerServiceIndex, then the
ResponseConsumerURL value in the PAOS Request Header block MUST be set to the
URL indicated by the <AuthnRequest>. Finally, in the example on page 29 of Profiles, Line 964
uses a ResponseConsumerURL of http://identity-service.example.com/abc.
However, since this value must be an AssertionConsumerService at the SP, I
recommend changing it to https://ServiceProvider.example.com/AssertionConsumerService
(for consistency with other examples in the section). Rob Philpott |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]