[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] Google SAML demo
> Any idea who we'd tell? Any googlites around here? I passed the various comments along to I believe the relevant person at Google, who said: Need to clean that thing up asap! so I assume they will. - RL "Bob" On Fri, 23 Feb 2007, Scott Cantor wrote: >> Have you seen the Google SAML V2.0 demo? >> >> http://code.google.com/apis/apps/sso/saml_static_demo/saml_demo.html >> >> Cool! :-) > > Yeah, it is, but umm...hmm. Is it worth noting to them that they've missed a > few things? > > Eyeballing it, the ProtocolBinding in the request is misused (it's what you > want back, not what you sent with), the response is missing a Destination > attribute, and the assertion is missing the mandated subject confirmation > data for SSO and an audience condition. (Ironically there are duplicative > mechs in SAML SSO for guarding against MitM attacks and they skipped both of > them.) > > Nice of them to use https://www.opensaml.org as the Issuer though, but I'd > probably feel more flattered if a Shibboleth SP wouldn't reject it. > > Any idea who we'd tell? Any googlites around here? > > -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]