[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Google SAML demo
> Have you seen the Google SAML V2.0 demo? > > http://code.google.com/apis/apps/sso/saml_static_demo/saml_demo.html > > Cool! :-) Yeah, it is, but umm...hmm. Is it worth noting to them that they've missed a few things? Eyeballing it, the ProtocolBinding in the request is misused (it's what you want back, not what you sent with), the response is missing a Destination attribute, and the assertion is missing the mandated subject confirmation data for SSO and an audience condition. (Ironically there are duplicative mechs in SAML SSO for guarding against MitM attacks and they skipped both of them.) Nice of them to use https://www.opensaml.org as the Issuer though, but I'd probably feel more flattered if a Shibboleth SP wouldn't reject it. Any idea who we'd tell? Any googlites around here? -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]