[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: RE: Re: Re: RE: [saml-dev] how service provider authenticate assertion
hello Scott Cantor,
>
>Which is why it doesn't include B. SSO assertions are issued to a single SP
>and have many other constraints on their use inside SubjectConfirmationData.
>They're not issued for reuse across more than one. You need to read the
>profile again.
Thank for your answer!
But in my opinion,it is impossible to have only a single SP in a real SSO application enviroment.Maybe there are many SPs,if user needs to get new assertion when accessing every SP.I think whether this method is reasonable in aspect of performance and others.waiting for your reply!
hui zhang
======= 2008-05-22 23:05:30 您在来信中写道:=======
>> I think <Audience> element can't solve the problem what I said.<Audience>
>> element express who is the consumer of assertion.Now suppose there are two
>> audience A and B in a SSO scenario.User Agent pushes its assertion to SP A
>> firstly.At this time, A can impersonate user agent to access SP B.the
>> <Audience> element of the assertion include B.
>
>Which is why it doesn't include B. SSO assertions are issued to a single SP
>and have many other constraints on their use inside SubjectConfirmationData.
>They're not issued for reuse across more than one. You need to read the
>profile again.
>
>You can also find security analyses of SAML around the net, not to mention
>the SAML security considerations document.
>
>-- Scott
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
>For additional commands, e-mail: saml-dev-help@lists.oasis-open.org
>
= = = = = = = = = = = = = = = = = = = =
致
礼!
张慧
zhanghui_csu@126.com
2008-05-23
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]