[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Does John Doe actually have to hit a Submit button to send the encrypted Authentication Response to CarRentalInc?
On 6/19/06, Costello, Roger L. <costello@mitre.org> wrote:
>
> Question: will John Doe actually have to hit a Submit button to send (POST)
> the Authentication Response to CarRentalInc?
One line of JavaScript will automate submission of the form:
window.onload = function() { document.forms[0].submit(); }
> In other words, from John
> Doe's perspective he pressed the link, and the next thing he sees is an HTML
> form that is filled with a bunch of encrypted stuff. Then John Doe is
> expected to press the Submit button, is that how it works?
Well, first of all, Mr. Doe will not see any form content unless he
views the source of the web page. If he does view the source, he will
see a base64-encoded assertion, which may or may not be encrypted
under the covers. (In SAML 1.1, for instance, encryption is not an
option.)
> Question: or, is there something that can be done (similar to an HTTP
> redirect) so that John Doe doesn't see the encrypted Response being
> forwarded to CarRentalInc? That is, is there a way for the unsolicited
> Response to be delivered to CarRentalInc "behind the scenes", via John Doe's
> browser?
JavaScript will do the trick unless of course JavaScript is disabled
in the browser. In that case, the user will have to press the Submit
button, yes.
Tom
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]