Shibboleth Developers

[Brett Lomas <>]

On Wed, 2007-05-30 at 20:58 -0400, Scott Cantor wrote:
> > I would tend to agree with you if it is not compliant, but I thought
> > (and I am likely to be wrong here) that the SAML specification was for
> > the target parameter to be in all uppercase going into and out of the
> > ITS (according to the SAML 1.1 Bindings and Profiles on page 20),
> > although it does say recommended though.
> 
> That's not part of SAML, it's a non-normative illustration of how some
> products work. The ITS was never in scope of the standard.
> 
> > It is also part of the spec that the ACS must use the issuer in the
> > assertion? I am asking this because if it is I will request a bug fix
> > etc from BEA.
> 
> It's part of both profiles that the only parameters required from an IdP
> (source site in 1.1) are listed in the spec. There is no allowance for
> requiring the IdP to send anything else. 100% not allowed. Also because
> there's no defined flow from the SP to the IdP, you can't say "the IdP
> should echo back anything the SP sent" because the SP doesn't send anything
> in SAML 1.x.
> 
> -- Scott
> 
> 

Hi Scott,

thanks for that, I will see how I get on with BEA.

Brett