OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] URI binding query parameter: rationale?

> > [in section of the  bindings spec.]
> > Could someone please explain the rationale behind forcing the format
> > of the URI
> > that points to a SAML assertion in the SAML URI binding (i.e. a
> > unique query string
> > parameter of the form ID=xxxx)?
> >
> > Why not leaving the format of this URI to the implementor?

We do, but we also mandated at least one shared convention so that a
reference to an Assertion ID could be turned into a query where necessary.
In practice, most references are likely to be a URI to begin with, allowing
the IdP to specify any convention it likes as long as the binding is

I suppose one would say that the binding represents a REST-based service
API, and you certainly have to provide a spec for that API.

I haven't really seen the binding even get used in practice, so can't say
I've thought about it much. I find the notion of using references to
assertions for security purposes fraught with "interesting" questions in
most cases.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]