[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL
Scott Cantor wrote on 8/25/2004, 1:16 PM: > > And a final note, if you do include the AssertionConsumerURL, > > I think the request has to be signed. With the other > > methods, it is more easily accepted without a signature. > > It doesn't have to be signed, but in either case, you need a way of > verifying that the ASC value is appropriate for the requesting SP. > Metadata > being one way, of course. If you have MetaData, then you typically don't need the URL on the request. So I would assume that metadata is not available to do the validation (of course others could be used). > Of course, any unsigned request can be manipulated entirely by an > attacker > if SSL isn't used or if they have sufficient access to the client, etc. SSL isn't the issue. Protecting the AuthnRequest is more about preventing a third party from submitting an AuthnRequest acting as a different provider. If the URL isn't clearly protected, the 3rd party could say it was a provider and specify its own URL for the reponse, thereby getting a toke that it could use to act as the user at the provider. Keeping the URL in Metadata (typically a more trusted path) essentially removes most of this risk. Signing the request is an alternative method. Conor > > -- Scott >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]