OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: profiles potential errata?

Well, I have some additional ECP Profile comments/questions…

Profiles lines 904-908 describe the ResponseConsumerURL in the PAOS Request Header Block of the message from the SP to the ECP.  The description is:

Specifies where the ECP is to send an error response. Also used to verify the correctness of the identity provider's response, by cross checking this location against the AssertionServiceConsumerURL in the ECP response header block. This value MUST be the same as the AssertionServiceConsumerURL (or the URL referenced in metadata) conveyed in the <AuthnRequest>.

This description is confusing in that it sounds like it could be two different values; an error response location or an AssertionConsumerServiceURL.  This is clearly not what was meant. Or am I missing something?


First, isn’t it simply where the ECP should send the “response”, not an “error response”? Isn’t it always just the SP’s AssertionConsumerServiceURL?


Next, I suggest dropping the 2nd sentence about it being verified against the ECP Response block.  Yes, that check has to be done, but not in this step; it is done when the ECP Response Block is sent from the IDP to the ECP and I find it confusing the way it is discussed here. The verification check is already described in the latter section (lines 1015-1018). I suggest changing the last sentence a bit as well.  Here’s possible suggested text:

Specifies the URL for the assertion consumer service where the ECP is to send a response back to the SP. If the <AuthnRequest> from the SP includes an AssertionConsumerServiceURL or AssertionConsumerServiceIndex, then the ResponseConsumerURL value in the PAOS Request Header block MUST be set to the URL indicated by the <AuthnRequest>. 

Finally, in the example on page 29 of Profiles, Line 964 uses a ResponseConsumerURL of http://identity-service.example.com/abc.  However, since this value must be an AssertionConsumerService at the SP, I recommend changing it to https://ServiceProvider.example.com/AssertionConsumerService (for consistency with other examples in the section).


Rob Philpott
Senior Consulting Engineer
RSA Security Inc.
Tel: 781-515-7115
Mobile: 617-510-0893
Fax: 781-515-7020
I-name:  =Rob.Philpott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]