Shibboleth Developers

["Scott Cantor" <>]

> I would tend to agree with you if it is not compliant, but I thought
> (and I am likely to be wrong here) that the SAML specification was for
> the target parameter to be in all uppercase going into and out of the
> ITS (according to the SAML 1.1 Bindings and Profiles on page 20),
> although it does say recommended though.

That's not part of SAML, it's a non-normative illustration of how some
products work. The ITS was never in scope of the standard.

> It is also part of the spec that the ACS must use the issuer in the
> assertion? I am asking this because if it is I will request a bug fix
> etc from BEA.

It's part of both profiles that the only parameters required from an IdP
(source site in 1.1) are listed in the spec. There is no allowance for
requiring the IdP to send anything else. 100% not allowed. Also because
there's no defined flow from the SP to the IdP, you can't say "the IdP
should echo back anything the SP sent" because the SP doesn't send anything
in SAML 1.x.

-- Scott