OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] Non-web client authentication

Den Mar 3, 2006 kl. 16:43 skrev Cahill, Conor P:

> I don't know how you can say that you don't trust an
> application running on the user's computer since that
> application, if it was a bad guy, could do pretty much
> anything on the computer including replacing the browser
> with their own thing that looks like a browser.  On
> top of that, the application, once it gets the user
> signed in, is trusted to do the right thing for the user.

Well, the problem is not bad application and bad user, but good user  
and bad application. A user should trust the interface in which she  
enters her credentials. And a user cannot trust a random application.

> That said, the probably easiest thing to do would be for
> your application to act as a local web server and do
> an authen request to the IdP with a response going to
> localhost:theportyourlistening to.  Then your client
> could just act as an SP speaking to the IdP through
> the browser SSO profile.

I do not fully understand your suggestion. Are you talking about  
"webscraping" a login service. That's not a "real" solution.

Andreas Åkre Solberg
UNINETT - http://uninett.no

Contact Info and PGP Public Key:


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]