OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] IdP initiated SSO and RelayState

Peter Major wrote at 2016-5-25 14:06 +0100:
>Reading the SAML bindings and the SAML core specs, I'm not really sure
>how RelayState should work when performing an IdP initiated SSO.

Try not to use IdP initiated SSO: the "normal" relay state provides
an effective means against replay attacks (as using the same relay state
a second time is automatically detected and will fail). If the IdP
(rather than the SP) can provide the relay state, replay attacks
must be prevented in another (much more complicated) way.



--
Dieter

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]