saml-dev message

Subject: assertion security problem?

From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
To: "Tom Scavo" <trscavo@gmail.com>
Date: Thu, 22 May 2008 10:04:31 +0800

hello Tom Scavo,

    Thank you for your detail answers!
 >
>>   Another question is about assertion security.For example,an assertion is trusted by two SP.After one SP get user's assertion,it can impersonate user to access another SP.It is a very serious security problem.How to solve this problem?
   
>If you look at the section in SAML Core I referenced earlier, you'll
>see that an assertion may have an <AudienceRestriction> element and
>that a relying party must check that the enclosed <Audience> element
>is valid.  Note that the SAML web browser SSO profile *requires* an
><Audience> element.
I think <Audience> element can't solve the problem what I said.<Audience> element express who is the consumer of assertion.Now suppose there are two audience A and B in a SSO scenario.User Agent pushes its assertion to SP A firstly.At this time, A can impersonate user agent to access SP B.the <Audience> element of the assertion include B.So B also think the assertion is valid and permit A to access resource.Is it right? 
or in SSO ,If there are only one SP ,it will have no security problem above.But it have no great meanings.Because there may be several SPs and only one Idp.User only need to be authenticated one time and can access all of SPs.it is purpose of SSO .Is it correct? Thank you very much!

Best regards!

              hui zhang


======= 2008-05-22 07:28:36 您在来信中写道：=======

>2008/5/21 张慧 <zhanghui_csu@126.com>:
>>
>> ... how SP deal with this assertion,just according to their own private policy.SAML only provide exchange format of message. For example,some SP trust cross-domain user  according to attribute statement,but others according to authenticate statement.SP can define some rules to deal with assertions.Is it right?
>
>These are policy issues and they are out of scope as far as SAML is
>concerned.  Different implementations handle policy differently, so
>you'll have to ask these questions of your favorite SAML implementer
>:-)
>
>>   Another question is about assertion security.For example,an assertion is trusted by two SP.After one SP get user's assertion,it can impersonate user to access another SP.It is a very serious security problem.How to solve this problem?
>
>If you look at the section in SAML Core I referenced earlier, you'll
>see that an assertion may have an <AudienceRestriction> element and
>that a relying party must check that the enclosed <Audience> element
>is valid.  Note that the SAML web browser SSO profile *requires* an
><Audience> element.
>
>Tom

= = = = = = = = = = = = = = = = = = = =
			

　　　　　　　　致
礼！
 
				 
　　　　　　　　张慧
　　　　　　　　zhanghui_csu@126.com
　　　　　　　　　　2008-05-22

References:
- how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
- Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
- Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "Tom Scavo" <trscavo@gmail.com>
- Re: Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
- Re: Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "Tom Scavo" <trscavo@gmail.com>