[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Summary: ISSUE:[MS-5-07: SSO Confirmation](was: ISSUE: bindings-model-11: SSO Assertion'sConfirmationMethod set toSAMLArtifact?)
Irving Reid wrote: > > > From: Jeff Hodges [mailto:Jeff.Hodges@sun.com] > > Sent: Friday, March 15, 2002 6:03 PM > > The change to make to bindings-model-11 is to change lines 525-526 of > > bindings-model-11 to say.. > > > > The <saml:ConfirmationMethod> element of each assertion MUST be > > set to the value specified in [SAMLCore] for "SAML Artifact", and the > > <saml:SubjectConfirmationData> element MUST be present with its value > > being the SAML_artifact supplied to obtain the assertion(s). > > This explicitly breaks one of the original design principles for the SAML > artifact binding. When we built the artifact binding, we imposed on > ourselves a specific constraint that is MUST NOT be possible to derive the > artifact from the corresponding assertion, to make sure that someone who > could get their hands on the assertion couldn't trick the sender into > thinking they were the intended recipient. good catch, always sumptin'. I somewhat recall that discussion now that you mention it. So perhaps what we should do is have lines 546-548 of bindings-model-12 altered to say just.. The <saml:ConfirmationMethod> element of each assertion MUST be set to the value specified in [SAMLCore] for "SAML Artifact". And, in core-28, delete lines 1798-1800.. <SubjectConfirmationData>: Base64 ( Artifact ) The subject of the assertion is the party that can present the SAML Artifact value specified in <SubjectConfirmationData> JeffH
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC