OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Transient IDs and SAML Conformance

> I guess I would say that the definition of "process" here needs to be a
> tighter --- and for a conformance spec, perhaps needs to go a bit beyond
> spec in terms of setting expectations.

How can it be "legal" to process the ID successfully, and then return a SAML
error? You can't return a SAML error from non-SAML code, so I think it's
unambiguous to say "the SAML layer must successfully process the value
without returning an error".

We can't say what happens once the application at the SP gets control. But
that's not a SAML error.

SAML conformance can't include expectations about that, but I guess a
conformance testing suite can just to determine whether something is

> For example, with a Persistent ID, an implementation might claim to be
> conformant even though it rejects all Persistent IDs --- but that would
> eliminate the possibility of Single-Logout or NameID Management.

Single Logout has nothing to do with persistent IDs, it works with any
format because it's session-based.

NameID Mgmt does, and no, you can't just ignore the messages by returning
errors. But how can we control how somebody implements them? As I said at
the time, I am within my rights to provide nothing but an API, and then at
conformance test time, supply a dumb plugin that writes to a file, and is
totally unsuitable for production use. Conformance can't determine quality.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]