[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: ECP profile question
Regarding the ECP SSO profile - I’m a bit confused about the usage of the responseConsumerURL attribute in the PAOS header sent from SP to ECP and the AssertionConsumerServiceURL attribute in the ECP response header sent from the IdP to the ECP. I’ve included the relevant sections (that I could find) of the profiles spec below.
As I understand it, the ECP sends a message to the SP at the location specified in the responseConsumerURL _only_ in event that there is some error condition. Otherwise the value of the responseConsumerURL attribute is used only for the ECP to confirm the value of the AssertionConsumerServiceURL it got from the IdP by comparing the two. And the value of the AssertionConsumerServiceURL is where the ECP will deliver the SSO response.
Do I have that correct?
Looking at the examples below - the highlighted portions would lead me to think that in this example the ECP would have to generate a SOAP fault response and send it to the SP because the values of the two attributes do not match. There is some wording around the possible need for processing/normalization of the values before comparison but I can’t see what reasonable normalization would result in those two values positively corresponding.
Am I missing something here? Was this just an oversight (and perhaps errata item) or were these values intentionally set that way in the example?
Thanks for any clarification,