[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Question about Subject of a SAML assertion
Hello,
I've a question about the Subject element of an Authentication
Assertion.
An user ``A'' is sitting in front of a service client SC. She wants to
obtain an
assertion from an IdP, using WS-Trust. The service client is trusted by
some meanings by the user (for example X509 certificates), and the user is
trusted by the service client because he knows his password.
Now, the communication with the IdP is in
place and the IdP authenticate the user, for example, and creates the
new SAML assertion. The subject of the SAML assertion is the user ``A'',
there are no meanings for the third service (the assertion consumer) that
the user A is sitting on the service client SC, in the SAML assertion.
What happens if a valid service client SC' (valid for the network, I mean),
with a valid user A', obtains the token? Can he impersonate A on SC?
How to put the identity of SC in the SAML token?
Let's imagine a token signed, with the Bearer subjectConfirmation.
Thanks,
Massimiliano
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]