[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL
Hi Cantor, I don't think it is completely pointless because if I'm not mistaken the RelayState is limited to 80 characters and you might have significantly longer URLs. So you might come to a situation that the RelayState cannot contain your original URL as it is. In such cases you have to store it locally and generate some handle and put this handle in the RelayState. This will increase the risk of potential Denial of Service (DoS) attacks because even without any authentication you store something in a session or in a database, etc. So back to the question if the AuthnRequest is signed and the IdP verifies the signature why not take the ACSURL as it is and send the Reponse to it? Regards, Dimitar -----Original Message----- From: Scott Cantor [mailto:cantor.2@osu.edu] Sent: Wednesday, April 08, 2009 7:52 PM To: Mihaylov, Dimitar Cc: saml-dev@lists.oasis-open.org Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL Mihaylov, Dimitar wrote on 2009-04-08: > I would interpret the part "signing the enclosing <AuthnRequest> message > is another" that if the AuthnRequest is signed no comparision with the > metadata is necessary? Is this correct? If yes then I do not see any > problem putting any URL as value - containing parameters, etc. What do > you think? I never thought about it, but either way, it's a pointless thing to do since you have RelayState. It's just asking for interop problems. Even if you sign the request that doesn't mean the IdP is going to verify it. You don't control that process. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]