OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Some tech overview comments


I can't recall the last time I looked at this document but I wanted to look
it over before the CD vote tomorrow.  These two things jumped out at me
during a quick read of the doc.

The example XML in section 4.4.4 "Message Structure and the SOAP Binding"
shows an AuthnRequest and subsequent Response containing an assertion being
transported via a SOAP envelope.  While I realize this is valid in the ECP
profile I think it is somewhat confusing at this point in this document.
The user's agent and the idea of a bearer token are important pieces of SAML
and this example seems to suggest that SSO can be accomplished without them.


There are some things in 5.2.1 "[ECP] Introduction" that I find confusing -
it says that the "(ECP) Profile supports several SSO use cases... Clients
where it is impossible to use redirects ... It is impossible for the
identity provider and service provider to directly communicate (and hence
the HTTP Artifact binding cannot be used)"  That leaves me thinking, would a
client that can't do redirects really be able to do SOAP, PAOS, and some
SAML?  And when the IdP and SP can't communicate directly, why not just use
POST?  





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]