shibboleth-dev - RE: Final Working Draft 01 of HoK Browser SSO
Subject: Shibboleth Developers
List archive
- From: "Josh Howlett" <>
- To: <>
- Cc: "Toshiyuki Kataoka" <>, "Josh Howlett" <>
- Subject: RE: Final Working Draft 01 of HoK Browser SSO
- Date: Wed, 12 Mar 2008 12:38:28 -0000
Nate,
Just one observation.
Section 2.4.5 states that the IdP MAY use the Artifact binding to
collect the <samlp:Response>.
When I first read this, I immediately wondered how the user agent
demonstrates to the SP that it possesses the private key associated with
the keying information included in the assertion's
<saml:SubjectConfirmation> given that the artifact resolution is a
direct callback to the IdP.
It took me a minute to realise that the SP, of course, can authenticate
the connection used to deliver the artifact (via the user agent) and
persist the relevant TLS state until it resolves the assertion at which
point it's done.
Perhaps it was just me being dim (and I did manage to figure to out
myself - eventually), but might there be some value in clarifying para 4
so that when you say 'HTTP requests in this step be made over mutually
authenticated TLS' it's obvious *which* HTTP requests are important in
this context (ie. those from the user agent).
josh.
> -----Original Message-----
> From: Nate Klingenstein
> [mailto:]
>
> Sent: 23 February 2008 12:25
> To:
>
> Cc: Toshiyuki Kataoka
> Subject: Final Working Draft 01 of HoK Browser SSO
>
> This message is just a quick delivery of the final version of
> working draft 1 to the Shibboleth-Dev community prior to
> shipping it off to OASIS for further work. Of course, if
> more ideas strike you at any time, please don't hesitate to
> toss me a message.
>
> Primary improvements in this round are the inclusion of a
> MUST for AudienceRestriction, exactly one
> SubjectConfirmation, changes to the compatibility section,
> with particular thanks to Chad. I've got a couple other
> suggestions from others that I'm chewing over, but I suspect
> I can find them in the SAML committee, so I'll engage them there.
>
> Take care,
> Nate.
>
>
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- Re: Final Working Draft 01 of HoK Browser SSO, Nate Klingenstein, 03/12/2008
- Message not available
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Scott Cantor, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Scott Cantor, 03/12/2008
- Message not available
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
- RE: Final Working Draft 01 of HoK Browser SSO, Josh Howlett, 03/12/2008
Archive powered by MHonArc 2.6.16.