[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: [saml-dev] Question about ConfirmationMethod in SSO
>In what instances are the <ConfirmationMethod> and ><SubjectConfirmationData> used? SAML Assertion alone does not provide its proof-of-binding to the Subject, which makes its vulnerable to replay attacks by someone who gets hold of it. Complimenting SAML Assertion with challenging Subject with the proof-of-possession of some secret (symmetrical or asymmetrical) solves this problem - that's how <ConfirmationMethod> and <SubjectConfirmationData> can be used.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC