OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: Re: RE: [saml-dev] how service provider authenticate assertion


2008/5/21 Ż <zhanghui_csu@126.com>:
>
> ... how SP deal with this assertion,just according to their own private policy.SAML only provide exchange format of message. For example,some SP trust cross-domain user  according to attribute statement,but others according to authenticate statement.SP can define some rules to deal with assertions.Is it right?

These are policy issues and they are out of scope as far as SAML is
concerned.  Different implementations handle policy differently, so
you'll have to ask these questions of your favorite SAML implementer
:-)

>   Another question is about assertion security.For example,an assertion is trusted by two SP.After one SP get user's assertion,it can impersonate user to access another SP.It is a very serious security problem.How to solve this problem?

If you look at the section in SAML Core I referenced earlier, you'll
see that an assertion may have an <AudienceRestriction> element and
that a relying party must check that the enclosed <Audience> element
is valid.  Note that the SAML web browser SSO profile *requires* an
<Audience> element.

Tom


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]