[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Checking of InResponseTo attribute
> I have some questions regarding the checking of "InResponseTo" attribute. > As the SAML2 specification documents clearly define that "InResponseTo" must > be check if it corresponds to the request's "ID", it does not say why this > is obligatory. And in practice it isn't. If your implementation is stateful, then it might be necessary. > What kind of attacks could this checking prevent? Depends on entirely on what you're willing to assume about the response. It presumably enables one to trust that the response fulfilled obligations that were in the request. Personally I don't use it for anything. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]