[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Summary: ISSUE:[MS-5-07: SSO Confirmation](was: ISSUE: bindings-model-11: SSO Assertion'sConfirmationMethod set toSAMLArtifact?)
Irving Reid wrote:
>
> > From: Jeff Hodges [mailto:Jeff.Hodges@sun.com]
> > Sent: Friday, March 15, 2002 6:03 PM
> > The change to make to bindings-model-11 is to change lines 525-526 of
> > bindings-model-11 to say..
> >
> > The <saml:ConfirmationMethod> element of each assertion MUST be
> > set to the value specified in [SAMLCore] for "SAML Artifact", and the
> > <saml:SubjectConfirmationData> element MUST be present with its value
> > being the SAML_artifact supplied to obtain the assertion(s).
>
> This explicitly breaks one of the original design principles for the SAML
> artifact binding. When we built the artifact binding, we imposed on
> ourselves a specific constraint that is MUST NOT be possible to derive the
> artifact from the corresponding assertion, to make sure that someone who
> could get their hands on the assertion couldn't trick the sender into
> thinking they were the intended recipient.
good catch, always sumptin'. I somewhat recall that discussion now that you
mention it.
So perhaps what we should do is have lines 546-548 of bindings-model-12 altered
to say just..
The <saml:ConfirmationMethod> element of each assertion MUST be
set to the value specified in [SAMLCore] for "SAML Artifact".
And, in core-28, delete lines 1798-1800..
<SubjectConfirmationData>: Base64 ( Artifact )
The subject of the assertion is the party that can present the SAML
Artifact value specified in <SubjectConfirmationData>
JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC