[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Re: SAML Response Status Codes for User exceeding max permitted attempts
The proper way to handle this (IMO) is to set a top-level status code of
urn:oasis:names:tc:SAML:2.0:status:Responder
And a second-level status code of
urn:oasis:names:tc:SAML:2.0:status:AuthnFailed
If additional details need to be provided, they should be placed into the optional <StatusMessage> or <StatusDetail> elements.
Note that it is normally a significant security risk to provide this much detail about an authentication request and most IdP implementations shouldn't/won't send it. This falls in the category of leaking too much information to a potential attacker.
Rob Philpott
RSA, the Security Division of EMC
Senior Technologist | e-Mail: robert.philpott@rsa.com | Office: (781) 515-7115 | Mobile: (617) 510-0893
From: Siddhartha Purkayastha [mailto:kpsiddharth@gmail.com]
Sent: Wednesday, January 21, 2009 7:31 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] Re: SAML Response Status Codes for User exceeding max permitted attempts
I went through the 2.0 documentation - and apparently, there isnt such a status. So my question should probably have been what would be the best way to inform the requester for such a status ?
2009/1/21 Siddhartha Purkayastha <kpsiddharth@gmail.com>
Hello All -
Can someone tell me if there is a status code (<StatusCode>) that may be used in a SAML response to inform the requester of the principal (user) exceeding max permitted number of attempts, and hence a resulting account lockout? Is there a way to distinguish this from a plain failed auth attempt?
Thanks for any help.
Thanks,
Siddhartha
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]