RE: [security-services] AssertionConsumerServiceIndex vs. AssertionConsumerURL

["Conor P. Cahill" <concahill@aol.com>]

Scott Cantor wrote on 8/25/2004, 2:51 PM:

 > Right. See lines 548-549 of CD SSO profile, and related text later on.
 > It's clear that whatever the potential use of the attribute, this
 > profile calls out placing the URL there, whereas the entityID of the
 > SP is in the Audience, as in ID-FF.

Upon some thought I think we should rethink this model of protecting
the assertion by using the <Recipient> subject confirmation to list the
delivery URL for the assertion.

While this does help protect the security environment by telling the
SP to not accept a token if presented on a different URL, it does NOT
protect the potential leaking of information by the presentation of
an assertion for the subject to an incorrect party.

The information contained within an assertion does have privacy related
information and we need to ensure that the IdP does not deliver the
assertion to a party which shouldn't get it.


Conor