[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Re: RE: [saml-dev] how service provider authenticate assertion
2008/5/21 ÕÅ»Û <zhanghui_csu@126.com>: > > ... how SP deal with this assertion,just according to their own private policy.SAML only provide exchange format of message. For example,some SP trust cross-domain user according to attribute statement,but others according to authenticate statement.SP can define some rules to deal with assertions.Is it right? These are policy issues and they are out of scope as far as SAML is concerned. Different implementations handle policy differently, so you'll have to ask these questions of your favorite SAML implementer :-) > Another question is about assertion security.For example,an assertion is trusted by two SP.After one SP get user's assertion,it can impersonate user to access another SP.It is a very serious security problem.How to solve this problem? If you look at the section in SAML Core I referenced earlier, you'll see that an assertion may have an <AudienceRestriction> element and that a relying party must check that the enclosed <Audience> element is valid. Note that the SAML web browser SSO profile *requires* an <Audience> element. Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]