RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 8/25/2004, 1:16 PM:

 > > And a final note, if you do include the AssertionConsumerURL,
 > > I think the request has to be signed.   With the other
 > > methods, it is more easily accepted without a signature.
 >
 > It doesn't have to be signed, but in either case, you need a way of
 > verifying that the ASC value is appropriate for the requesting SP.
 > Metadata
 > being one way, of course.

If you have MetaData, then you typically don't need the URL on the
request.  So I would assume that metadata is not available to do
the validation (of course others could be used).

 > Of course, any unsigned request can be manipulated entirely by an
 > attacker
 > if SSL isn't used or if they have sufficient access to the client, etc.

SSL isn't the issue.  Protecting the AuthnRequest is more about
preventing a third party from submitting an AuthnRequest acting
as a different provider.    If the URL isn't clearly protected,
the 3rd party could say it was a provider and specify its own
URL for the reponse, thereby getting a toke that it could use
to act as the user at the provider.

Keeping the URL in Metadata (typically a more trusted path)
essentially removes most of this risk.  Signing the request is
an alternative method.

Conor
 >
 > -- Scott
 >