14 messages in org.oasis-open.lists.security-servicesRe: [security-services] Comments on T...| From | Sent On | Attachments |
|---|---|---|
| Eve L. Maler | Mar 4, 2007 8:56 pm | |
| Tom Scavo | Mar 5, 2007 7:25 am | |
| Eve L. Maler | Mar 5, 2007 8:55 am | |
| Tom Scavo | Mar 10, 2007 9:33 am | |
| Eve L. Maler | Mar 11, 2007 8:45 pm | |
| Tom Scavo | Mar 12, 2007 6:39 am | |
| Paul Madsen | Mar 26, 2007 7:57 am | |
| Paul Madsen | Mar 26, 2007 8:21 am | |
| Tom Scavo | Mar 26, 2007 9:24 am | |
| Paul Madsen | Jul 19, 2007 6:31 am | |
| Tom Scavo | Jul 19, 2007 10:07 am | |
| Paul Madsen | Jul 19, 2007 10:20 am | |
| Tom Scavo | Jul 19, 2007 11:26 am | |
| Paul Madsen | Jul 19, 2007 2:08 pm |
| Subject: | Re: [security-services] Comments on Tech Overview rev 13 | |
|---|---|---|
| From: | Tom Scavo (trsc...@gmail.com) | |
| Date: | Mar 10, 2007 9:33:56 am | |
| List: | org.oasis-open.lists.security-services | |
Eve, I tried to let this go but it was causing me to lose sleep :-) This seemingly small point impacts nearly all the expository work I've done regarding the SSO profile. Can we flesh this out a little more? Please see below.
On 3/5/07, Eve L. Maler <Eve....@sun.com> wrote:
On 3/5/07, Tom Scavo <trsc...@gmail.com> wrote:
On 3/4/07, Eve L. Maler <Eve....@sun.com> wrote:
- Sec 4.1.2, Figure 12 (and globally throughout all the figures): I suspect the arrow for step 1, "Access resource", is supposed to be dotted, not solid, because it's out of band for SAML. (This is probably a bug of long standing -- I'm sorry!)
My interpretation is just the opposite. By all indications, steps 1 and 7 are in band and in scope. In particular, see sections 4.1.3.1 and 4.1.3.6 in SAMLProf.
Good point. Since this requires a change to the diagram, can I make another suggestion (at the risk of being pedantic)? A flow diagram illustrating request-response exchanges should not have an odd number of steps. The culprit in this case is step 2, which is really a pair of steps.
It's a pair depending on the binding...
It doesn't seem like the binding matters. The profile specifies a number of round trips between a user agent and a SAML entity. The flow begins and ends with a user agent. Thus the total number of steps is a multiple of two. This is true in all cases, even artifact.
I personally don't think we need to hew to this rule.
That's fine. It's mostly pedagogical and not worth quibbling about in general. I personally find this to be a useful rule when writing documentation and so forth since it leads to reasonably complete end-to-end flows that novices can understand.
Thanks, Tom