OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] question on MNI request for SP Lite/IdP Lite

I agree this is an odd situation. At the heart of it, it is a question of
1.) what is the difference between SP/IdP and SP Lite/IdP Lite and 2.) how
do you prove an application can switch between the two modes.

For a SP Lite/IdP Lite only application that does not define a MNI endpoint,
you couldn't use this test case, nor would you want to. However, we are
getting companies in the test events which want to certify their products as
both SP/IdP and SP Lite/IdP Lite. For these products, they do define a MNI
endpoint in their metadata, but claim to be able to switch this
functionality on/off. For the 2008 event, we just granted them certification
in both modes, but we came to believe we need to do something to verify this
switching functionality.

But as we (Liberty LCRT, DGI, test participants) discussed this, we were
unsure exactly how to approach this. There was some confusion on the nature
of the difference between SP/IdP and their Lite modes. Is it simply not
listening on an MNI endpoint and thus not accepting MNIRequests or is it
something deeper?

Kyle Meadors
-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Wednesday, March 25, 2009 11:38 AM
To: 'Kyle Meadors'; security-services@lists.oasis-open.org
Subject: RE: [security-services] question on MNI request for SP Lite/IdP

Kyle Meadors wrote on 2009-03-25:
> For this year's Liberty SAML IOP event, we are adding a new error test
> for SP Lite and IdP Lite applications. Per the SAML conformance
> specification, SP Lite and IdP Lite MUST NOT support Name ID management
> messaging and functionality. As some of the vendor products allow their
> applications to be switched from SP to SP Lite mode (same with IdP and IdP
> Lite), we need to fully test this "switch" and verify they are properly
> acting in the SP Lite/IdP Lite mode.

Is this really useful? Does anybody remember why we said MUST NOT and what
that could possibly even mean?

> 1. When a SP Lite/IdP Lite receives a MNIRequest, what should be their
> proper response? Ignore the request? Generate an error <Status> response?
> Either is acceptable?

It shouldn't even have an endpoint to which you could send one, so it should
never come up.

> 2. After generating the MNIRequest, I planned on verifying the SP Lite/IdP
> Lite did not accept the name ID change by sending a LogoutRequest using
> new name ID from the MNIRequest message and looking for the error <Status>
> response that the SP Lite/IdP Lite does not recognize the principal. Then,
> send the LogoutRequest using the original name ID from the Response
> and verifying principal is successfully logged out. Does this sound like a
> reasonable test scenario?

I think this is kind of a weird thing to require, let alone try to test.
What I guess you'd want to do is simply verify that if something claims to
support MNI but then returns an error when you try it, that the logout
doesn't work.

But something that doesn't support MNI simply has no place to send the
message to.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]