OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: Re: RE: [saml-dev] how service provider authenticate assertion

hello Tom Scavo,

	Firstly,Thank you for your answer. I understand that SAML:conditions is used to validate the  SAML assertion  such as the validation of time and so on.  But how SP deal with this assertion,just according to their own private policy.SAML only provide exchange format of message. For example,some SP trust cross-domain user  according to attribute statement,but others according to authenticate statement.SP can define some rules to deal with assertions.Is it right?

   Another question is about assertion security.For example,an assertion is trusted by two SP.After one SP get user's assertion,it can impersonate user to access another SP.It is a very serious security problem.How to solve this problem?   Thank you very much!

Best regards!

                      hui zhang

======= 2008-05-21 19:35:46 您在来信中写道:=======

>2008/5/20 张慧 <zhanghui_csu@126.com>:
>> From the SAML standard,I only find that saml:condition need be authenticate.how about SAML authenticate assertion statement,how to authenticate it?  define authenticate rule by myself ,parse xml text to make decision?the same to subject statement.
>So it seems you're using the word "authenticate" inappropriately.  (I
>realize English is a second language here and you're trying to
>articulate the question the best you can.)  Perhaps the word you want
>to use is "validate."  You want to validate the SAML assertion,
>correct?  If so, the SAML Core spec is pretty clear on that (see
>section 2.5).
>>        I don't know how to deal with authenticate statement and saml:subject in SP.Does it relate to business requirement rule,not defined in saml standard.
>Once the assertion has been determined to be valid, the rest of the
>assertion content is taken as is.  Of course the relying party will
>apply local policy before taking any action based on the assertion
>content.  As you've guessed, policy is not defined in the SAML
>Hope that helps,

= = = = = = = = = = = = = = = = = = = =


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]