OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL


Hi Cantor,

I don't think it is completely pointless because if I'm not mistaken the
RelayState is limited to 80 characters and you might have significantly
longer URLs. So you might come to a situation that the RelayState cannot
contain your original URL as it is. In such cases you have to store it
locally and generate some handle and put this handle in the RelayState.
This will increase the risk of potential Denial of Service (DoS) attacks
because even without any authentication you store something in a session
or in a database, etc. So back to the question if the AuthnRequest is
signed and the IdP verifies the signature why not take the ACSURL as it
is and send the Reponse to it?

Regards,

Dimitar

-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: Wednesday, April 08, 2009 7:52 PM
To: Mihaylov, Dimitar
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] preserving query parameters in
AssertionConsumerServiceURL

Mihaylov, Dimitar wrote on 2009-04-08:
> I would interpret the part "signing the enclosing <AuthnRequest>
message
> is another" that if the AuthnRequest is signed no comparision with the
> metadata is necessary? Is this correct? If yes then I do not see any
> problem putting any URL as value - containing parameters, etc. What do
> you think?

I never thought about it, but either way, it's a pointless thing to do
since
you have RelayState. It's just asking for interop problems. Even if you
sign
the request that doesn't mean the IdP is going to verify it. You don't
control that process.

-- Scott




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]