Uploaded image for project: 'OASIS Security Services (SAML) TC'
  1. OASIS Security Services (SAML) TC
  2. SECURITY-6

PE: Conflict with core in SSO profile on returning error Responses to SP

    XMLWordPrintable

    Details

    • Proposal:
      Hide

      Change text in 4.1.3.5 of Profiles to:

      "Identity Provider implementations SHOULD support the issuance of
      <saml2p:Response> messages (with appropriate status codes) in the event of
      an error condition, provided that the user agent remains available and an
      acceptable location to which to deliver the response is available. The
      criteria for "acceptability" of a response location are not formally
      specified, but are subject to Identity Provider policy and reflect its
      responsibility to protect users from being sent to untrusted or possibly
      malicious parties."

      Show
      Change text in 4.1.3.5 of Profiles to: "Identity Provider implementations SHOULD support the issuance of <saml2p:Response> messages (with appropriate status codes) in the event of an error condition, provided that the user agent remains available and an acceptable location to which to deliver the response is available. The criteria for "acceptability" of a response location are not formally specified, but are subject to Identity Provider policy and reflect its responsibility to protect users from being sent to untrusted or possibly malicious parties."

      Description

      Section 3.4.1.4 of Core states that "The responder MUST ultimately reply to an <AuthnRequest> with a <Response> message..." regardless of success or failure.

      Section 4.1.3.5 of Profiles reads "Regardless of the success or failure of the <AuthnRequest>, the identity provider SHOULD produce an HTTP response to the user agent containing a <Response> message...".

      The conflicting language should be clarified, without imposing the impossible requirement for an IdP to guarantee a response, but to encourage implementers to favor responses and/or provide options to ensure that.

        Attachments

          Activity

            People

            • Assignee:
              cantor.2 Scott Cantor (Inactive)
              Reporter:
              cantor.2 Scott Cantor (Inactive)
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: