[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] A browser/POST question...
I dont have a big issue with this but I do not really see this as errata. Basically, it does not matter what the <saml:ConfirmationMethod> is set to in the FORM/POST profile; it is never discussed in the profile. So why explicitly include a statement that says DONT use it? Scott, you have the most expeience with the POST profile. Do you end up spending time discussing <saml:ConfirmationMethod>? Is clarity the real issue here? [Scott] The section is 4.1.2.5, line 743 of the 1.0 B&P document. Current text reads: "The <saml:ConfirmationMethod> element of each assertion MUST be set to urn:oasis:names:tc:SAML:1.0:cm:bearer." That text is actually a little muddled. I suggest a clarifying edit to read: Each statement subject included in the response MUST include a <saml:ConfirmationMethod> element of urn:oasis:names:tc:SAML:1.0:cm:bearer." Then we can add: "<saml:SubjectConfirmationData> SHOULD NOT be included." [\Scott]
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]