[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Some tech overview comments
Tom/Brian, I'm fine with changing the example to a message more typically bound to SOAP (and if somebody sends me some XML I'll make the change), but I don't see what the issue has to SSO? The section in question is not specifically concerned with SSO, so why should any example found within be expected to be so associated? paul Tom Scavo wrote: > On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: > >>>> The example XML in section 4.4.4 "Message Structure and the SOAP Binding" >>>> shows an AuthnRequest and subsequent Response containing an assertion being >>>> transported via a SOAP envelope. While I realize this is valid in the ECP >>>> profile I think it is somewhat confusing at this point in this document. >>>> The user's agent and the idea of a bearer token are important pieces of SAML >>>> and this example seems to suggest that SSO can be accomplished without them. >>>> >>>> >>> Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think >>> the SOAP example is perfectly valid here, as we are not claiming that >>> this example is in the context of SSO (or any other context). >>> >> It's valid, for sure. My concern wasn't the validity but only that it might >> be a bit misleading/confusing for someone new to SAML (which is kind of the >> target audience for this doc, right?). I believe there is some >> misconception that SSO can be done by just making a SOAP call and I fear >> that this example might compound that misconception. But the real fun of >> web SSO (which is the main use case for SAML now) is the involvement of the >> user agent. >> >> Admittedly it is kind of a nit, and if others don't think it's an issue, >> I'll drop it. But I was thinking it may be more appropriate to show an >> example of SAML message that is more commonly bound to SOAP - like logout or >> artifact resolution. >> > > I agree with Brian here. SOAP is not required for SSO. That's a > point we need to drive home as often as we can. The example in > section 4.4.4 would be better served if it were an AttributeQuery, I > think. > > Tom > > > -- Paul Madsen e:paulmadsen @ ntt-at.com NTT p:613-482-0432 m:613-282-8647 aim:PaulMdsn5 web:connectid.blogspot.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]