On Mon, Oct 25, 2010 at 02:31:55PM -0400, Scott Cantor wrote:
> > As for "the response ... violated local security policy ...", I wonder
> > what sorts of local security policy that might be. It seems to me that
> > some such violations would not be indicative of transient failure, but
> > of misconfiguration (local or remote), but it'd still indicate that
> > attributes may be missing (we don't know if the SAML response would be
> > empty had it passed local policy).
>
> That is generally true. The reason I treated it as a transient failure is
> that it generally is a misconfiguration of some sort, so it gets fixed when
> somebody realizes it. That isn't always true, but that's where the ambiguity
> kicks in.
I agree. That ambiguity doesn't bother me. Misconfiguration should be
treated as transient failure.
> When I looked at each error path, I evaluated it based on the liklihood of
> it being temporary or a mistake.
Oh, interesting. Good!
|