OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Question about Subject of a SAML assertion


I've a question about the Subject element of an Authentication

An user ``A'' is sitting in front of a service client SC. She wants to  
obtain an
assertion from an IdP, using WS-Trust. The service client is trusted by
some meanings by the user (for example X509 certificates), and the user is
trusted by the service client because he knows his password.

Now, the communication with the IdP is in
place and the IdP authenticate the user, for example, and creates the
new SAML assertion. The subject of the SAML assertion is the user ``A'',
there are no meanings for the third service (the assertion consumer) that
the user A is sitting on the service client SC, in the SAML assertion.

What happens if a valid service client SC' (valid for the network, I mean),
with a valid user A', obtains the token? Can he impersonate A on SC?

How to put the identity of SC in the SAML token?

Let's imagine a token signed, with the Bearer subjectConfirmation.



This message was sent using IMP, the Internet Messaging Program.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]