[liberty-dev] 2 items for clarification in protocols and schemas document

To liberty-dev@emailprotection.org
From Jon Serg <serg@Sun.COM>
Date Fri, 09 Aug 2002 16:00:50 -0700
Reply-to liberty-dev@emailprotection.org
Sender liberty-dev-owner@emailprotection.org

Here are two things in the protocols and schemas document that recently
came up for us as potential interoperability problems:

(1) In the Single Logout protocol, the specification doesn't seem to
    explicitly say whether the sender needs to include the entire
    NameIdentifier that was sent in the Assertion (or possibly
    RegisterNameIdentifierRequest), or just the mandatory value.  The
    qualifier and format are optional.

    It seems to me that the sender should send back everything that was
    in the original name identifier from the assertion.  So, for
    example, if the IDP fills in all three fields in the name
    identifier in the assertion, the SP should send all three back at
    logout time, but if the IDP only fills in two of them, the SP
    should only send back those two and omit the third.  But it's
    possible that others who don't intend to use the optional fields
    might skip parsing and storing them entirely...

(2) The schema defines a lib:Assertion element that is not used anywhere.
    This is potentially misleading; it is possible that some may assume
    that the authentication statement should contain
        <lib:Assertion ...>...</lib:Assertion>
    instead of
        <saml:Assertion xsi:type="lib:AssertionType" ...>...</saml:Assertion>
    leading to interoperability problems.  (My understanding is that only
    the second is legal inside the AuthenticationStatement.)

Has anyone else run into these problems?  How have others handled these
Jon Serg

Partial thread listing:

[liberty-dev] 2 items for clarification in protocols and schemas document
(Jon Serg)
 Vineet Arora (08/11/2002)
 Jonathan Sergent (08/12/2002)
Possible follow-ups
 Hubert A. Le Van Gong (08/12/2002)
 Jonathan Sergent (08/12/2002)


Please enter your comment!
Please enter your name here