[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] Some tech overview comments
Unless I'm missing something, the protocol message in Figure 9 is an AuthnRequest. Thus the implication is that AuthnRequest and SOAP go together, which is, as Brian said, a myth we should try to dispel. If you like, you can use the AttributeQuery example here: http://en.wikipedia.org/wiki/SAML_2.0#SAML_Attribute_Query (I wrote that article so I believe I am within my IP rights to give the code to OASIS as well.) Thanks, Tom On Feb 13, 2008 3:33 PM, Paul Madsen <paulmadsen@rogers.com> wrote: > Tom/Brian, I'm fine with changing the example to a message more > typically bound to SOAP (and if somebody sends me some XML I'll make the > change), but I don't see what the issue has to SSO? > > The section in question is not specifically concerned with SSO, so why > should any example found within be expected to be so associated? > > paul > > > Tom Scavo wrote: > > On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote: > > > >>>> The example XML in section 4.4.4 "Message Structure and the SOAP Binding" > >>>> shows an AuthnRequest and subsequent Response containing an assertion being > >>>> transported via a SOAP envelope. While I realize this is valid in the ECP > >>>> profile I think it is somewhat confusing at this point in this document. > >>>> The user's agent and the idea of a bearer token are important pieces of SAML > >>>> and this example seems to suggest that SSO can be accomplished without them. > >>>> > >>>> > >>> Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think > >>> the SOAP example is perfectly valid here, as we are not claiming that > >>> this example is in the context of SSO (or any other context). > >>> > >> It's valid, for sure. My concern wasn't the validity but only that it might > >> be a bit misleading/confusing for someone new to SAML (which is kind of the > >> target audience for this doc, right?). I believe there is some > >> misconception that SSO can be done by just making a SOAP call and I fear > >> that this example might compound that misconception. But the real fun of > >> web SSO (which is the main use case for SAML now) is the involvement of the > >> user agent. > >> > >> Admittedly it is kind of a nit, and if others don't think it's an issue, > >> I'll drop it. But I was thinking it may be more appropriate to show an > >> example of SAML message that is more commonly bound to SOAP - like logout or > >> artifact resolution. > >> > > > > I agree with Brian here. SOAP is not required for SSO. That's a > > point we need to drive home as often as we can. The example in > > section 4.4.4 would be better served if it were an AttributeQuery, I > > think. > > > > Tom > > > > > > > > > -- > Paul Madsen e:paulmadsen @ ntt-at.com > NTT p:613-482-0432 > m:613-282-8647 > aim:PaulMdsn5 > web:connectid.blogspot.com > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]