Re: [security-services] Some tech overview comments

[Brian Campbell <bcampbell@pingidentity.com>]

It's not that it should necessarily be expected to be associated with SSO.
It's more that I believe the target audience of this document are people who
are new to SAML.  When one is learning something new, it is much easier to
grasp concrete and tangible examples than it is to understand abstract
examples or concepts.   The current example is perfectly valid but I would
argue that it's kind of abstract - an AuthnRequest and Response via SOAP,
while valid, is a much less common scenario than say, an attribute query or
artifact resolution request via SOAP.

So while section 4.4.4 isn't specifically concerned with SSO, I do think
that an SSO based example might help newbies understand some of the concepts
more easily.  That's all I'm saying here.

And again, I didn't mean to make a big fuss about it.  It's legal and valid
and ok as it is.  I was just trying to simplify.  I've attacked two files
with SOAP bound message exchanges - one shows an artifact resolution
exchange and the other shows an attribute query.  Feel free to use either,
both or not use them at all!  The XML came from product logs so should be
valid and compliant :)


On 2/13/08 1:33 PM, "Paul Madsen" <paulmadsen@rogers.com> wrote:

> Tom/Brian, I'm fine with changing the example to a message more
> typically bound to SOAP (and if somebody sends me some XML I'll make the
> change), but I don't see what the issue has to SSO?
> 
> The section in question is not specifically concerned with SSO, so why
> should any example found within be expected to be so associated?
> 
> paul
> 
> Tom Scavo wrote:
>> On Feb 13, 2008 9:34 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>   
>>>>> The example XML in section 4.4.4 "Message Structure and the SOAP Binding"
>>>>> shows an AuthnRequest and subsequent Response containing an assertion
>>>>> being
>>>>> transported via a SOAP envelope.  While I realize this is valid in the ECP
>>>>> profile I think it is somewhat confusing at this point in this document.
>>>>> The user's agent and the idea of a bearer token are important pieces of
>>>>> SAML
>>>>> and this example seems to suggest that SSO can be accomplished without
>>>>> them.
>>>>> 
>>>>>         
>>>> Section 4.4 is entitled 'SAML XML Constructs and Examples' so I think
>>>> the SOAP example is perfectly valid here, as we are not claiming that
>>>> this example is in the context of SSO (or any other context).
>>>>       
>>> It's valid, for sure.  My concern wasn't the validity but only that it might
>>> be a bit misleading/confusing for someone new to SAML (which is kind of the
>>> target audience for this doc, right?).  I believe there is some
>>> misconception that  SSO can be done by just making a SOAP call and I fear
>>> that this example might compound that misconception.  But the real fun of
>>> web SSO (which is the main use case for SAML now) is the involvement of the
>>> user agent.
>>> 
>>> Admittedly it is kind of a nit, and if others don't think it's an issue,
>>> I'll drop it.  But I was thinking it may be more appropriate to show an
>>> example of SAML message that is more commonly bound to SOAP - like logout or
>>> artifact resolution.
>>>     
>> 
>> I agree with Brian here.  SOAP is not required for SSO.  That's a
>> point we need to drive home as often as we can.  The example in
>> section 4.4.4 would be better served if it were an AttributeQuery, I
>> think.
>> 
>> Tom
>> 
>> 
>>

artifact-resolve-response-in-soap.txt

attribute-query-response-in-soap.txt