saml-dev message

Subject: RE: Re: Re: RE: [saml-dev] how service provider authenticate assertion

From: "Scott Cantor" <cantor.2@osu.edu>
To: =?gb2312?B?J9XFu9sn?= <zhanghui_csu@126.com>
Date: Thu, 22 May 2008 11:04:59 -0400

> I think <Audience> element can't solve the problem what I said.<Audience>
> element express who is the consumer of assertion.Now suppose there are two
> audience A and B in a SSO scenario.User Agent pushes its assertion to SP A
> firstly.At this time, A can impersonate user agent to access SP B.the
> <Audience> element of the assertion include B.

Which is why it doesn't include B. SSO assertions are issued to a single SP
and have many other constraints on their use inside SubjectConfirmationData.
They're not issued for reuse across more than one. You need to read the
profile again.

You can also find security analyses of SAML around the net, not to mention
the SAML security considerations document.
 
-- Scott

Follow-Ups:
- Re: RE: Re: Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>

References:
- how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
- Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
- Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "Tom Scavo" <trscavo@gmail.com>
- Re: Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>
- Re: Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "Tom Scavo" <trscavo@gmail.com>
- Re: Re: Re: RE: [saml-dev] how service provider authenticate assertion
  - From: "=?gb2312?B?1cW72w==?=" <zhanghui_csu@126.com>