Re: [security-services] Some tech overview comments

["Tom Scavo" <trscavo@gmail.com>]

Unless I'm missing something, the protocol message in Figure 9 is an
AuthnRequest.  Thus the implication is that AuthnRequest and SOAP go
together, which is, as Brian said, a myth we should try to dispel.

If you like, you can use the AttributeQuery example here:

http://en.wikipedia.org/wiki/SAML_2.0#SAML_Attribute_Query

(I wrote that article so I believe I am within my IP rights to give
the code to OASIS as well.)

Thanks,
Tom

On Feb 13, 2008 3:33 PM, Paul Madsen <paulmadsen@rogers.com> wrote:
> Tom/Brian, I'm fine with changing the example to a message more
> typically bound to SOAP (and if somebody sends me some XML I'll make the
> change), but I don't see what the issue has to SSO?
>
> The section in question is not specifically concerned with SSO, so why
> should any example found within be expected to be so associated?
>
> paul
>
>
> Tom Scavo wrote:
> > On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> >
> >>>> The example XML in section 4.4.4 "Message Structure and the SOAP Binding"
> >>>> shows an AuthnRequest and subsequent Response containing an assertion being
> >>>> transported via a SOAP envelope.  While I realize this is valid in the ECP
> >>>> profile I think it is somewhat confusing at this point in this document.
> >>>> The user's agent and the idea of a bearer token are important pieces of SAML
> >>>> and this example seems to suggest that SSO can be accomplished without them.
> >>>>
> >>>>
> >>> Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think
> >>> the SOAP example is perfectly valid here, as we are not claiming that
> >>> this example is in the context of SSO (or any other context).
> >>>
> >> It's valid, for sure.  My concern wasn't the validity but only that it might
> >> be a bit misleading/confusing for someone new to SAML (which is kind of the
> >> target audience for this doc, right?).  I believe there is some
> >> misconception that  SSO can be done by just making a SOAP call and I fear
> >> that this example might compound that misconception.  But the real fun of
> >> web SSO (which is the main use case for SAML now) is the involvement of the
> >> user agent.
> >>
> >> Admittedly it is kind of a nit, and if others don't think it's an issue,
> >> I'll drop it.  But I was thinking it may be more appropriate to show an
> >> example of SAML message that is more commonly bound to SOAP - like logout or
> >> artifact resolution.
> >>
> >
> > I agree with Brian here.  SOAP is not required for SSO.  That's a
> > point we need to drive home as often as we can.  The example in
> > section 4.4.4 would be better served if it were an AttributeQuery, I
> > think.
> >
> > Tom
> >
> >
> >
>
>
> --
> Paul Madsen             e:paulmadsen @ ntt-at.com
> NTT                     p:613-482-0432
>                         m:613-282-8647
>                         aim:PaulMdsn5
>                         web:connectid.blogspot.com
>
>