OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Some tech overview comments

Tom/Brian, I'm fine with changing the example to a message more 
typically bound to SOAP (and if somebody sends me some XML I'll make the 
change), but I don't see what the issue has to SSO?

The section in question is not specifically concerned with SSO, so why 
should any example found within be expected to be so associated?

paul

Tom Scavo wrote:
> On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>   
>>>> The example XML in section 4.4.4 "Message Structure and the SOAP Binding"
>>>> shows an AuthnRequest and subsequent Response containing an assertion being
>>>> transported via a SOAP envelope.  While I realize this is valid in the ECP
>>>> profile I think it is somewhat confusing at this point in this document.
>>>> The user's agent and the idea of a bearer token are important pieces of SAML
>>>> and this example seems to suggest that SSO can be accomplished without them.
>>>>
>>>>         
>>> Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think
>>> the SOAP example is perfectly valid here, as we are not claiming that
>>> this example is in the context of SSO (or any other context).
>>>       
>> It's valid, for sure.  My concern wasn't the validity but only that it might
>> be a bit misleading/confusing for someone new to SAML (which is kind of the
>> target audience for this doc, right?).  I believe there is some
>> misconception that  SSO can be done by just making a SOAP call and I fear
>> that this example might compound that misconception.  But the real fun of
>> web SSO (which is the main use case for SAML now) is the involvement of the
>> user agent.
>>
>> Admittedly it is kind of a nit, and if others don't think it's an issue,
>> I'll drop it.  But I was thinking it may be more appropriate to show an
>> example of SAML message that is more commonly bound to SOAP - like logout or
>> artifact resolution.
>>     
>
> I agree with Brian here.  SOAP is not required for SSO.  That's a
> point we need to drive home as often as we can.  The example in
> section 4.4.4 would be better served if it were an AttributeQuery, I
> think.
>
> Tom
>
>
>   

-- 
Paul Madsen             e:paulmadsen @ ntt-at.com
NTT                     p:613-482-0432
                        m:613-282-8647
                        aim:PaulMdsn5
                        web:connectid.blogspot.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]