OpenSAML user discussion

["RL 'Bob' Morgan" <>]

On Thu, 8 Jan 2004, Scott Cantor wrote:

> > I need to include a cookie when sending a SAMLRequest via
> > SAMLSOAPBinding's send method. Is there a way to do it?
>
> Not currently. It wouldn't be inordinately hard to add that, but by some
> interpretations, that would violate the SAML spec, since it would
> introduce an HTTP header that shouldn't need to be there for a SAML
> authority to respond.

Hmm, indeed the SAML SOAP binding says

  A SAML responder MUST NOT require any headers for the SOAP message.

but this seems kinda fuzzy; obviously a responder might have requirements
on a request that it fit into some general messaging scheme in order to be
able to give it a proper response, eg security or routing or whatever;
and meeting those requirements might involve SOAP headers just as they
might involve wrapping in SSL, etc.  Seems inappropriate for the SAML spec
to declare that such schemes simply can't be used with SAML/SOAP.  Seems
like something to clarify in 2.0.

> OTOH, I could see implementing some kind of session-based authentication
> between the client and the authority that would need a cookie, so it's
> probably a gray area.

Hmm, hmm, I guess it's the case that neither SOAP 1.1 nor 1.2 say anything
about sessions.  So I guess out in the world people do sessions with SOAP
however they feel like it.  Also the SAML SOAP binding says nothing about
sessions.  In SAML a response is associated with a request via
RequestID/InResponseTo, but linking multiple reqs/resps into a session
that might share security context is not specified.  Seems like the sort
of thing people would use cookies for.  A quick Google indicates that
Apache and MS both can do this in their SOAP implementations.

 - RL "Bob"