[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML Profile StatusCode (was: Re: [xacml] Changes in the profiles)
Hi Erik, On 3/04/2014 1:31 AM, Erik Rissanen wrote:
I hadn't noticed the post about the SAML profile. I think it makes sense to have the SAML status code refer to SAML layer related errors. Do you have a proposal for how to change the text?
Here is a suggestion for replacing the text following "<samlp:StatusCode> [Required]" in Section 4.11. The <samlp:StatusCode> element is a component of the <samlp:Status> element in the <samlp:Response>. In the response to an <xacml-samlp:XACMLAuthzDecisionQuery>, the value of the <samlp:StatusCode> XML attribute is determined as follows: urn:oasis:names:tc:SAML:2.0:status:Success This value for the <samlp:StatusCode> XML attribute SHALL be used if and only if at least one XACMLAuthzDecision Assertion (i.e., <saml:Assertion> element) is present. Note that an XACMLAuthzDecision Assertion may indicate XACML errors. urn:oasis:names:tc:SAML:2.0:status:Requester This value for the <samlp:StatusCode> XML attribute SHOULD be used if an error in the original <xacml-samlp:XACMLAuthzDecisionQuery> prevented evaluation by the XACML PDP. urn:oasis:names:tc:SAML:2.0:status:Responder This value for the <samlp:StatusCode> XML attribute SHOULD be used if the XACML PDP attempted evaluation of the original <xacml-samlp:XACMLAuthzDecisionQuery>, but was unable to produce a valid XACMLAuthzDecision Assertion. Other SAML status codes MAY be used where appropriate when there are no XACMLAuthzDecision Assertions present. I used "SHOULD" for the "Requestor" and "Responder" statuses because it is sometimes fuzzy where the fault lies and to give implementors wriggle room to choose another SAML status code where it would make more sense without us having to be prescriptive about every single one of them. The SAML <Status> element is a mandatory child element of the SAML <Response> element so one should be provided in the example in Section 4.11. I suggest: <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> immediately following the <samlp:Response> start-tag. Regards, Steven