[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [imi] Token profile issue with AppliesTo and AudienceRestriction
Mike Jones wrote on 2009-12-15: > As part of the review of the draft SAML 1.1 token profile, Arun Nanda > commented: "This is overkill IMO. If an IdP is an open IdP that issues > 'unscoped' tokens for consumption by any RP, it should not be forced to > encode an audience in the issued token just because the request included it. > So, may be SHOULD is preferred here." I disagree. If the request from the user's client includes that field, it's precisely to *guarantee* that the IdP doesn't risk the user's identity in this fashion. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]