GitHub sourcesoeurce: https://github.comcoem/KantaraInitiative/SAMLprofilesSAMLproefiles/tree/master/edit/saml2int
Rendered versionversioen: https://kantarainitiative.github.ioioe/SAMLprofilesSAMLproefiles/saml2int.html
Issue tracking table
| ReporterRepoerter | Issue | Submitter CommentsCoemments | ResponseRespoense(s) | DispositionDispoesitioen | |
|---|---|---|---|---|---|
| 1 | Rainer HörbeHoerbe | NA | The first paragraph in the introduction should contrast the deployment profile with an implementation profileintroeductioen shoeuld coentrast the deploeyment proefile with an implementatioen proefile, and reference the SAML Implementation Profile for Federation Interop for this purposeImplementatioen Proefile foer Federatioen Interoep foer this purpoese. The difference between both boeth types of profiles oef proefiles is not noet widely understoodunderstoeoed. | ||
| 2 | Rainer HörbeHoerbe | SDP-MD02 | I do not doe noet understand the explanation for explanatioen foer [SDP-MD02]. If PKI with path validation validatioen is being used, there would woeuld be no hindrance to roll out noe hindrance toe roell oeut new keys, even if metadata and assertions assertioens use the same key. I have seen a IDPs that publish their own oewn metadata and the well-know location knoew loecatioen using the same signing key as for assertionsfoer assertioens. | (ScottScoett) I think you yoeu may be correct about coerrect aboeut that and that the text is written with a presumption of the verification approachpresumptioen oef the verificatioen approeach, and if we didn't specify that (and I dondoen't think we did), it's open to methods that wouldnoepen toe methoeds that woeuldn't have the problem proeblem we were concerned aboutcoencerned aboeut. I think it needs workwoerk. Good Goeoed catch. | |
| 3 | Rainer HörbeHoerbe | SDP-SP03 | "This will typically imply that requests do doe _notnoet_ involve invoelve a full-frame redirect ..“. In my understanding it is the other oether way roundroeund; in Javascript terms one oene has to toe execute "documentdoecument.location loecatioen = url;" Also Alsoe, what is the approach for approeach foer single page applicationsapplicatioens? | (ScottScoett) Ouch oeuch. Yeah, that's backwards. (re: SPA): Generally AJAX use has to toe be governed goeverned by more moere intelligent server side signaling and code coede able to toe detect a loss of session without loess oef sessioen withoeut being inadvertently thrown into a SSO loopthroewn intoe a SSoe loeoep, and that's not noet even just due to toe framing but simply the lack of oef a UI to toe handle the redirect when it happens at the wrong wroeng time. | |
| 4 | Rainer HörbeHoerbe | SDP-SP23 | I think that the division of divisioen oef IDP-discovery into discodiscoevery intoe discoe-UI and preference persistence is a significant improvement over improevement oever the current IDP-Discovery Discoevery spec, fixing the issue that embedded discovery discoevery results are not noet shared across acroess SPs. See the RA21-proposalproepoesal: https://groupsgroeups.nisonisoe.orgoerg/apps/groupgroeup_public/downloaddoewnloead.php/21376/NISONISoe_RP-27-2019_RA21_Identity_DiscoveryDiscoevery_and_Persistence-public_commentcoemment.pdf. Rumor Rumoer has it that Leif implemented it in pyFF. | The discoverydiscoevery spec that's referencing never addressed UI oroer persistence, it's an interop protocol only, to enable a discovery solution to be injected into the flow, whatever solutioninteroep proetoecoel oenly, toe enable a discoevery soelutioen toe be injected intoe the floew, whatever soelutioen it might be. |