RE: [security-services] JIRA SECURITY-6 PE: Conflict with core in SSOprofile on returning error Responses to SP

[ARI KERMAIER <ARI.KERMAIER@oracle.com>]

Why mention a specific error condition at all? How about just:

"Identity Provider implementations MUST/SHOULD support the issuance of
<saml2p:Response> messages (with appropriate status codes) in the event of
an error condition, provided that the user agent remains available and an
acceptable location to which to deliver the response is available."

::Ari

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Monday, April 19, 2010 12:49 PM
> To: ARI KERMAIER; OASIS SSTC
> Subject: RE: [security-services] JIRA SECURITY-6 PE: Conflict with core
> in SSO profile on returning error Responses to SP
> 
> > I agree that there is a conflict between the current texts in Core
> and
> > Profiles in terms of MUST vs. SHOULD, but if that can be resolved
> without
> > changing the underlying nature of the guidance to implementers, I
> think
> that
> > would be a cleaner result.
> 
> I proposed the following compromise wording for Kantara:
> 
> "Identity Provider implementations MUST support the issuance of
> <saml2p:Response> messages (with appropriate status codes) in the event
> that
> authentication of the user is unsuccessful, provided that the user
> agent
> remains available and an acceptable location to which to deliver the
> response is available."
> 
> For errata purposes, I would s/MUST/SHOULD.
> 
> I'd probably also hold open the issue on our side pending finalization
> of
> the language in the profile there. My feeling is that it's insufficient
> and
> overly specific to talk only about "authn of the user", but I don't
> know
> what else to say.
> 
> -- Scott
> 
>