[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: [security-services] Preliminary text for "Request Denied" errorsub-status code
After the end of the sentence on line 1279, insert a new paragraph:
Note: The AuthenticationQuery MAY NOT be used as a request for a new authentication using credentials provided in the request. The AuthenticationQuery is a request for statements about authentication acts which have occured in a previous interaction between the indicated principal and the Authentication Authority.
(3) In Security Considerations, add a new sub-section to "SAML Protocol" (Section 3.2)
3.1 Active Attacks using SAML Requests
A variety of attacks are possible using SAML requests. A malicious requester may attempt to obtain a valid SAML assertion by "guessing" a valid <Subject> element. This may be accomplished by repeatedly submitting a AuthenticationQuery or AttributeQuery with contents of the <Subject> element drawn from a dictionary of potential values for <Subject> sub-elements and attributes. A SAML responder should attempt to detect such attacks and return the Requester error code with sub-error code RequestDenied.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC