-
Type: Bug
-
Status: Resolved
-
Priority: Minor
-
Resolution: Applied
-
Affects Version/s: 2.0
-
Fix Version/s: SAML 2.0 + Approved Errata 05
-
Component/s: Profiles
-
Labels:None
-
Proposal:
Section 3.4.1.4 of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.
Section 4.1.3.5 of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".
The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.