OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: Re: Re: RE: [saml-dev] how service provider authenticate assertion

> I think <Audience> element can't solve the problem what I said.<Audience>
> element express who is the consumer of assertion.Now suppose there are two
> audience A and B in a SSO scenario.User Agent pushes its assertion to SP A
> firstly.At this time, A can impersonate user agent to access SP B.the
> <Audience> element of the assertion include B.

Which is why it doesn't include B. SSO assertions are issued to a single SP
and have many other constraints on their use inside SubjectConfirmationData.
They're not issued for reuse across more than one. You need to read the
profile again.

You can also find security analyses of SAML around the net, not to mention
the SAML security considerations document.
-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]