[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Request for clarification regarding simple-sign spec
Hi, I'm using simple-sign to secure SAML messages between two servers. In this case neither server wants to deal with full XML signatures (flames off-list are fine:). My question is in regard to the following paragraph from section 2.4. > If the SAML protocol message is signed using SimpleSign, the > Destination XML attribute in the root > SAML element of the SAML protocol message MUST contain the URL to > which the sender has instructed > the user agent to deliver the message. The recipient MUST then verify > that the value matches the location > at which the SAML protocol message has been received. Also, the > signer's certificate or other keying > information MAY be included in a form control named KeyInfo. This form > control, if present, MUST > contain a base-64 encoded <ds:KeyInfo> element [XMLSig] (base-64 > encoding is done as in step 1, > above). Since the message is NOT being passed through a user agent, does this still apply? I can see the Destination attribute being useful on the initial request message (in our case an AuthnRequest) but not on the Response as that data is just the return of the HTTP request. However, the spec says it's a MUST. How does the receiving server know the endpoint at the sender when it's just responding to an HTTP request? Can we consider our implementation compliant if it's specified on the AuthnRequest but not on the Response? Thanks, George
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]