[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] ISSUE: protocol for artifact- and ID-based queries
What is the right answer to these questions? >In the doc: draft-sstc-bindings-model-11, Page 16, Line 507-510 says : > >"In the case where the source site returns assertions within ><samlp:Response>, it MUST return exactly one assertion for each SAML >artifact found in the corresponding <samlp:Request> element. The case >where fewer or greater number of assertions is returned within >the <samlp:Response> element MUST be treated as an error state by the >destination site. " > >Line 523 says: >"At least one of the SAML assertions returned to the destination site >MUST be an SSO assertion. " > >My question is that "exactly one assertion" means one SSO assertion or >any kind of assertion. For example, if I send a <samlp:request> contains >one SAML artifact, and receive a <samlp:response> which contains exactly >ONE valid SSO assertion corresponding to the artifact. But I also receive >additional assertions which are not SSO assertion. Should I consider such >response to be invalid? > >The same case for request/response corresponding AssertionID. Can the >response send additional assertions plus the corresponding assertion to the >AssertionID. -- Eve Maler +1 781 442 3190 Sun Microsystems XML Technology Center eve.maler @ sun.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC