OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] Google SAML demo


> Have you seen the Google SAML V2.0 demo?
> 
> http://code.google.com/apis/apps/sso/saml_static_demo/saml_demo.html
> 
> Cool! :-)

Yeah, it is, but umm...hmm. Is it worth noting to them that they've missed a
few things?

Eyeballing it, the ProtocolBinding in the request is misused (it's what you
want back, not what you sent with), the response is missing a Destination
attribute, and the assertion is missing the mandated subject confirmation
data for SSO and an audience condition. (Ironically there are duplicative
mechs in SAML SSO for guarding against MitM attacks and they skipped both of
them.)

Nice of them to use https://www.opensaml.org as the Issuer though, but I'd
probably feel more flattered if a Shibboleth SP wouldn't reject it.

Any idea who we'd tell? Any googlites around here?

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]