OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Commented: (SECURITY-6) Conflict with core inSSO profile on returning error Responses to SP


    [ http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18230#action_18230 ] 

Scott Cantor commented on SECURITY-6:
-------------------------------------

That text conflicts with the original wording, which is a problem for an errata. We can't introduce new MUSTs. I would be comfortable with:

"Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce and send an HTTP response to the user agent containing a <Response> message under any circumstances within its control, and implementations SHOULD provide deployers with the ability to guarantee responses where possible."

That's about as strong as we could get in an errata. Other profiles have more freedom to require implementations to support this.

> Conflict with core in SSO profile on returning error Responses to SP
> --------------------------------------------------------------------
>
>                 Key: SECURITY-6
>                 URL: http://tools.oasis-open.org/issues/browse/SECURITY-6
>             Project: OASIS Security Services (SAML) TC
>          Issue Type: Bug
>          Components: Profiles
>    Affects Versions: Version 2.0
>            Reporter: Scott Cantor
>            Priority: Minor
>             Fix For: 2.0 incorporating Approved Errata
>
>
> Section 3.4.1.4 of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.
> Section 4.1.3.5 of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".
> The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]