OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Transient IDs and SAML Conformance

I'm seeking guidance on the interpretation and intent of the SAML 2.0
Conformance document discussion of Name ID formats in section 3.3.

To summarize, my interpretation in formulating the Liberty Interoperable
testing procedures has been that "trivial processing" of messages --- that
is, correctly processing messages but only issuing error responses rather
than doing something useful --- is not acceptable.  In particular, our
testing requires that implementations accept Transient Name IDs, and use
them to allow access to protected resources.

There is at least one party who disagrees, noting that the SAML 2.0
Conformace docs state that the processing rules don't cover what an
implementation does with the ID once the SAML processing is done.  In this
interpretation, an implementation which accepts a Transient Name ID, but
simply rejects the message, is conformant.

To me, the notion that this behavior could be conformant (in any practical
sense) seems anathema. If I were a customer and bought a "conformant"
product which  "supported" Transient IDs, and then found out that  Transient
IDs are  "supported" by summarily rejecting them, I might be upset.

So I think there may be a need to clarify the language in the SAML
Conformance  document, depending on the feedback here.

Here are the relevant sections from the SAML 2.0 Conformance doc:

Lines 199-201 in particular state that

    Sections 8.3.7 [of SAMLCore] (persistent name identifiers) and
    8.3.8 [of SAMLCore] (transient name identifiers) define normative
    processing rules for the producer of such identifiers. All
    normative processing rules in Sections 8.3.7 and 8.3.8 MUST be
    supported by conforming implementations.

and lines 205-208 state:

    Note: In this context, "process" means that the implementation
    must successfully parse and handle the identifier without failing
    or returning an error. How the implementation deals with the
    identifier once it is processed at this level is out of scope for
    this specification.

I guess I would say that the definition of "process" here needs to be a bit
tighter --- and for a conformance spec, perhaps needs to go a bit beyond the
spec in terms of setting expectations.  For example, with a Persistent ID,
an implementation might claim to be conformant even though it rejects all
Persistent IDs --- but that would eliminate the possibility of Single-Logout
or NameID Management.

Anyway, your thoughts are appreciated.

Eric  Tiffany             |  eric@projectliberty.org
Interop Tech  Lead        |  +1 413-458-3743
Liberty Alliance          |  +1 413-627-1778 mobile

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]