[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] URI binding query parameter: rationale?
> > [in section 3.7.5.1 of the bindings spec.] > > Could someone please explain the rationale behind forcing the format > > of the URI > > that points to a SAML assertion in the SAML URI binding (i.e. a > > unique query string > > parameter of the form ID=xxxx)? > > > > Why not leaving the format of this URI to the implementor? We do, but we also mandated at least one shared convention so that a reference to an Assertion ID could be turned into a query where necessary. In practice, most references are likely to be a URI to begin with, allowing the IdP to specify any convention it likes as long as the binding is understood. I suppose one would say that the binding represents a REST-based service API, and you certainly have to provide a spec for that API. I haven't really seen the binding even get used in practice, so can't say I've thought about it much. I find the notion of using references to assertions for security purposes fraught with "interesting" questions in most cases. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]