>>>Other conditions MAY be included as requested by the Relying Party or >> >at the discretion of the Identity Provider. The Identity Provider is >> >not obligated to honor the requested set of conditions in the >> ><samlp:AuthnRequest>, if any. If the Identity Provider does not honor >> >the requested set of conditions is MUST either not return a >> ><samlp:Response> message or return a <samlp:Response> message with >> an >> >error. >> >> The conditions included by the RP in the request are (SAMLCore section >> 3.4.1) "intended as input to the process of constructing the assertion, >rather >> than as conditions on the use of the request itself". An assertion that >include >> these conditions can always be discarded by the RP, so I am unclear what >> value the new sentence adds? >> > >To me current text says the following. The RP says please do this. The >IdP >does not do this. The IdP returns an assertion. > >How does the RP know that the IdP did not do this.
It parses the assertion. The requested conditions are either present, or not. These conditions are not instructions to the IdP as to how it should process the request. They are instructions from the IdP to the SP describing the circumstances in which the assertion can be considered valid. Josh. Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238 _______________________________________________ abfab mailing list [email protected] https://www.ietf.org/mailman/listinfo/abfab
