[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] Google SAML demo
Also, doesn't the assertion need to be signed? Tom On 2/23/07, Scott Cantor <cantor.2@osu.edu> wrote: > > Have you seen the Google SAML V2.0 demo? > > > > http://code.google.com/apis/apps/sso/saml_static_demo/saml_demo.html > > > > Cool! :-) > > Yeah, it is, but umm...hmm. Is it worth noting to them that they've missed a > few things? > > Eyeballing it, the ProtocolBinding in the request is misused (it's what you > want back, not what you sent with), the response is missing a Destination > attribute, and the assertion is missing the mandated subject confirmation > data for SSO and an audience condition. (Ironically there are duplicative > mechs in SAML SSO for guarding against MitM attacks and they skipped both of > them.) > > Nice of them to use https://www.opensaml.org as the Issuer though, but I'd > probably feel more flattered if a Shibboleth SP wouldn't reject it. > > Any idea who we'd tell? Any googlites around here? > > -- Scott > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]