> Well, aaa-saml currently profiles the Authentication Request Protocol,
> primarily to allow use of semantics within the the <samlp:AuthnRequest>
> element that don't have equivalents in RADIUS but also to be consistent
> with other SAML profiles. The spec also profiles the Assertion Q/R
> protocol. I think it makes sense to document what we're currently doing,
> as a lightweight alternative.
That's fine, but then you may need to patch the code to make sure it's not passing protocol messages into library functions that expect assertions, assuming that was the original problem.
You should also take care that anything returning a Response that wasn't solicited avoid populating InResponseTo and in general anything that would imply there had been a request. That's more of a profile-defining step I suppose.
You also probably need to consider the question of EncryptedAssertion (even if just to rule it out).
-- Scott
|