RE: [saml-dev] preserving query parameters in AssertionConsumerServiceURL

["Schmidlin, Franck" <Franck.Schmidlin@northgate-is.com>]

 > is that it's also a bad idea to ever pass actual session ID material

For the record, the sessionId in my example is not an actual session
encapsulating access, but one that differentiate different screen
streams within the same session. Maybe I should have made the example a
bit more generic by using query parameters a to z.

I understand Scott argument, but basically it falls down to not being
able to use the URL I want because the SP needs some reliable way to
compare my AssertionConsumerURL with the metadata.

Which feels like the application of the standard is skewed toward the
implementation responder side.

I can live with it, but unless the standard is amended to read "The
AssertionConsumerURL MUST match the actual URL held in the metadata", I
don't think the standard has been fully implemented, or fully thought
out.

But thanks again for the answer Scott.

______________________________
Franck Schmidlin
Transformation Technical Consultant - Integration
Technical Architect - Northgate Hub 

Northgate Public Services

Please consider the environment before printing this e-mail


-----Original Message-----
From: Scott Cantor [mailto:cantor.2@osu.edu] 
Sent: 08 April 2009 18:47
To: 'Mihaylov, Dimitar'
Cc: saml-dev@lists.oasis-open.org
Subject: RE: [saml-dev] preserving query parameters in
AssertionConsumerServiceURL

>> This will increase the risk of potential Denial of Service (DoS) 
>> attacks because even without any authentication you store something 
>> in a session or in a database, etc.

Another point, solely based on the original example/question, is that
it's also a bad idea to ever pass actual session ID material around to
the IdP and back anyway, especially in a redirect, since that gets
logged all over.
That opens up the session back at the SP to lots of attack vectors,
given the stupidity of how most server-side sessions are implemented by
application servers. Lack of address checking, for example.

-- Scott

-----------------------------------------------------------------------------------------
This email is sent on behalf of Northgate Information Solutions Limited and its associated companies ("Northgate") and is strictly confidential and intended solely for the addressee(s).  
 
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate immediately on +44 (0)1442 232424 quoting the name of the sender and the addressee then delete it from your system.
 
Northgate has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.
 
Northgate Information Solutions Limited. Registered in England no. 06442582  -  Northgate Information Solutions UK Limited. Registered in England no. 968498  -  NorthgateArinso UK Limited .Registered in England no. 1587537  -  Moorepay Limited.  Registered in England no. 891686  -  Northgate Land & Property Solutions Limited  -  Registered in England no. 2149536 Registered Office: Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire HP2 4NW 
 
Northgate Managed Services Limited (NI).  Registered in Northern Ireland no. NI032979  -  LearnServe Limited (NI).  Registered in Northern Ireland no. NI043825
Registered Office: Hillview House, 61 Church Road, Newtownabbey, Co. Antrim, BT36 7LQ 

-----------------------------------------------------------------------------------------