Eve, I tried to let this go but it was causing me to lose sleep :-)
This seemingly small point impacts nearly all the expository work I've
done regarding the SSO profile. Can we flesh this out a little more?
Please see below.
- Sec 4.1.2, Figure 12 (and globally throughout all the figures): I
suspect the arrow for step 1, "Access resource", is supposed to be
dotted, not solid, because it's out of band for SAML. (This is
probably a bug of long standing -- I'm sorry!)
My interpretation is just the opposite. By all indications, steps 1
and 7 are in band and in scope. In particular, see sections 18.104.22.168
and 22.214.171.124 in SAMLProf.
Good point. Since this requires a change to the diagram, can I make
another suggestion (at the risk of being pedantic)? A flow diagram
illustrating request-response exchanges should not have an odd number
of steps. The culprit in this case is step 2, which is really a pair
It's a pair depending on the binding...
It doesn't seem like the binding matters. The profile specifies a
number of round trips between a user agent and a SAML entity. The
flow begins and ends with a user agent. Thus the total number of
steps is a multiple of two. This is true in all cases, even artifact.
I personally don't think we need to hew to this rule.
That's fine. It's mostly pedagogical and not worth quibbling about in
general. I personally find this to be a useful rule when writing
documentation and so forth since it leads to reasonably complete
end-to-end flows that novices can understand.